What is Quantum Computing?

Unlike traditional computers, which process information in binary bits (0s and 1s), quantum computers use qubits. Qubits can represent 0 and 1 simultaneously, enabling quantum machines to solve specific problems far faster than classical computers. This makes quantum machines powerful for fields such as drug discovery, supply chain optimization, and financial modeling.

However, quantum’s most significant impact on risk management stems from its ability to break widely used encryption methods —the very algorithms that protect sensitive data across global networks.

Why it Matters for TPRM Leaders

The benefits of quantum computing—faster analysis, advanced simulations, and new scientific breakthroughs are significant. Yet, the risks, particularly those related to cybersecurity, may emerge first.

The need for post-quantum cryptography (PQC) extends across the entire vendor ecosystem; any third party that fails to transition to PQC creates an entry point for adversaries that can compromise your company. As a result, TPRM groups should consider:

• Vendor Dependencies: Many third-party solutions, cloud services, financial platforms, and healthcare applications rely on quantum-vulnerable cryptography.
• Regulatory Pressure: NIST and other standards-setting bodies are finalizing PQC algorithms, and companies that delay migration could face compliance gaps and heightened exposure.
• Data is at Risk Today: Adversaries may already be stealing encrypted data through “harvest now, decrypt later” (HNDL) strategies, with the intent to unlock it once quantum capabilities mature.

For TPRM leaders, PQC represents a supply chain challenge. The security of your company will depend not only on your readiness, but also on the readiness of your third and fourth parties.

How to Prepare Your Company

Early preparation is essential. TPRM leaders should encourage their companies and suppliers to take the following steps now, well before large-scale quantum computers are commercially available:

Establish Quantum-Readiness Roadmaps

• Form cross-functional teams (risk, IT, procurement) to plan for PQC migration.
• Build cryptographic inventories to identify systems and vendors that rely on vulnerable algorithms.
• Prioritize migration for high-impact systems and critical third parties.

Engage with Vendors and the Supply Chain

• Ask technology vendors about their quantum-readiness plans and migration timelines.
• Align internal PQC transition strategies with those of critical suppliers.
• Evaluate reliance on both commercial and custom-built technologies, ensuring migration pathways exist.

Develop a Practical Assessment Approach

Incorporate quantum-readiness into supplier assessments by asking questions such as:

• Have you inventoried all cryptography in use across your systems?
• Are you planning a migration to NIST’s PQC finalists (ML-KEM, ML-DSA, SLH-DSA) related to secure encryption, key exchanges, and digital signatures?
• For symmetric encryption, are you using AES 128 or higher (preferably AES 256)?
• Are you tracking developments in quantum cryptographic threats?

Shared Assessments is closely monitoring the evolving landscape of quantum computing and its implications for third-party risk management. Through our AI & Emerging Technology Committee, Tech in Focus LinkedIn Newsletter , and resources available on our website, we will continue to explore this critical topic and provide guidance to help our members stay ahead of emerging technology risks.

The post Quantum Computing & Third-Party Risk: Why TPRM Leaders Need to Prepare Now appeared first on Shared Assessments.

Vendor partnerships enable organizations to innovate, scale operations, and improve service delivery. Yet these same relationships introduce exposures that can impact operational stability and compliance integrity. When third-party relationships are not properly managed, vulnerabilities can emerge that increase the likelihood of data breaches, regulatory penalties, or service disruptions. Understanding the different types of vendor risk is essential to building a strong, proactive vendor risk management program.

By identifying potential risks early, organizations can strengthen governance practices, negotiate stronger contracts, and implement effective vendor risk monitoring. Shared Assessments supports these efforts through widely adopted tools such as the Standardized Information Gathering (SIG) Questionnaire, the Third Party Service Inherent Risk Rating (TPSIRR), and the Vendor Risk Management Maturity Model (VRMMM). Together, these resources help organizations evaluate vendor risk and mature their overall third-party oversight practices.

Why Understanding the Types of Vendor Risk Matters

The Cost of Overlooking Vendor Management Risk

Vendor management risk is the total exposure that occurs when third-party relationships are poorly governed or inadequately monitored. Without a structured vendor risk assessment, organizations can miss hidden vulnerabilities across their vendor ecosystem, including weak security practices, financial instability, or regulatory gaps.

According to the Verizon Data Breach Investigations Report (DBIR), 30% and 61% of security breaches in 2025 involved third-party vendors, depending on the industry and region. The report highlights that many incidents stem from issues within vendor environments, which can result in data loss, reputational harm, operational disruption, and long-term financial impact. When a critical vendor fails, the effects often extend to customers, supply chains, and core business operations.

Strong oversight, clear contractual requirements, and ongoing monitoring are essential to reducing this exposure. Consistent evaluation of vendor performance helps organizations protect data integrity and maintain business continuity.

Business Benefits of Vendor Risk Monitoring

Vendor risk monitoring is not only a compliance requirement, it is a strategic driver of business resilience. Continuous oversight helps organizations:

• Identify issues early before they affect operations or compliance.
• Strengthen vendor accountability with measurable performance indicators.
• Improve business continuity through validated backup and contingency plans.
• Build trust with regulators, customers, and business partners.

When continuous monitoring is built into the vendor risk management process, organizations create an adaptive program that maintains strong protection as vendor relationships change.

The Six Core Types of Vendor Risk

Every mature vendor risk management (VRM) framework evaluates six foundational risk categories. These categories represent the baseline exposures that organizations should assess, monitor, and mitigate across all vendor relationships.

1. Cybersecurity Risk

Cybersecurity is one of the most critical types of vendor risk. Vendors that manage sensitive data or have access to internal systems introduce information security exposures that can lead to breaches, ransomware incidents, or unauthorized access.

Example: The 2013 Target data breach illustrates the risks of third-party access. Attackers initially compromised a small HVAC vendor that had remote access to Target’s network. This access allowed the attackers to move laterally and eventually exfiltrate payment card data from millions of customers, resulting in financial losses, regulatory fines, and reputational damage.

Mitigation Measures:

• Require vendors to maintain recognized security certifications such as SOC 2 or ISO 27001.
• Conduct comprehensive vendor security assessments using tools like the SIG Questionnaire to evaluate controls, incident response capabilities, and compliance.
• Align cybersecurity practices with established frameworks such as the NIST Cybersecurity Framework or CIS Controls.
• Implement continuous monitoring to detect new vulnerabilities, misconfigurations, or changes in risk posture.
• Encourage close collaboration between security, procurement, and vendor management teams to ensure consistent management of cyber risks across all third-party relationships.

2. Compliance Risk

Compliance risk arises when vendors fail to meet regulatory requirements such as GDPR, HIPAA, CCPA, or OCC mandates. A single non-compliant vendor can expose an organization to audits, fines, and reputational harm. These are among the most significant risks associated with third party vendors, as compliance failures often extend liability to the contracting organization itself.

Example: A cloud vendor mishandles customer data, triggering a regulatory investigation and penalties for both the vendor and client.

Mitigation Measures:

• Include detailed compliance clauses and audit rights in contracts as part of your vendor risk management program.
• Conduct due diligence and use VRMMM benchmarking to measure compliance maturity.
• Require regular reporting on data protection and regulatory risks.
• Reference the OCC third-party risk guidance for governance best practices.

Ongoing oversight ensures vendors maintain consistent adherence to privacy and data security obligations.

3. Operational Risk

Operational risk occurs when a vendor’s failure disrupts essential business operations. This could result from system outages, process errors, or the inability to deliver critical services.

Example: A payment processor outage halts customer transactions for hours, damaging customer trust and revenue.

Mitigation Measures:

• Require business continuity plans (BCP) and disaster recovery testing as part of your vendor risk management process.
• Review incident response plans during onboarding and renewal.
• Diversify suppliers to reduce concentration in single points of failure.
• Use performance metrics to track vendor reliability and risk score over time.

Strong operational oversight and vendor risk monitoring maintain continuity and protect against cascading service disruptions, reducing the overall risks associated with third party vendors within your broader vendor management risk framework.

4. Reputational Risk

Reputational risk often results when a vendor’s unethical practices, security failures, or poor labor conditions reflect negatively on your organization. In today’s transparent market, public perception can shift rapidly.

Example: A vendor found violating data privacy rules or Environmental Social Governance (ESG) commitments can cause widespread brand backlash.

Mitigation Measures:

• Conduct ESG due diligence and periodic independent audits as part of your vendor risk management framework.
• Integrate vendor monitoring solutions that assess reputation metrics and security ratings.
• Establish clear escalation protocols for high-risk vendors.

Consistent vendor risk monitoring helps detect early warning signs, maintain stakeholder trust, and reduce vendor management risk over time.

5. Financial Risk

Financial risk arises when vendors lack stability, experience cash flow issues, or face insolvency, jeopardizing contract delivery and long-term service support.

Example: A small vendor collapses mid-contract, disrupting a critical supply chain and highlighting one of the overlooked types of vendor risk organizations must monitor.

Mitigation Measures:

• Conduct credit monitoring and financial health reviews of key suppliers.
• Assess vendor’s financial history during onboarding.
• Maintain a diverse vendor portfolio to minimize exposure.
• Assign financial risk tiers to identify and track high-risk vendors.

Effective vendor risk monitoring ensures continuity even when one supplier faces unexpected financial challenges and helps reduce overall risks associated with third party vendors.

6. Strategic Risk

Strategic risk occurs when a vendor’s goals or business direction diverge from your organization’s strategy. Misalignment can undermine shared objectives and long-term value, making it a critical component of comprehensive vendor risk management and monitoring efforts.

Example: A technology vendor exits your industry sector, leaving you with unsupported software and integration issues.

Mitigation Measures:

• Use governance scorecards and KPIs to track strategic alignment.
• Include exit strategies and contractual obligations for smooth transitions.
• Evaluate vendors during risk assessments for cultural and strategic fit.
• Involve senior management in reviewing long-term vendor strategies.

Embedding this awareness into ongoing vendor risk monitoring processes ensures early detection of misalignment and reduces exposure to risks associated with third party vendors.

Emerging and Evolving Types of Vendor Risk

Beyond the six foundational categories, organizations are facing new and dynamic challenges that expand the types of vendor risk they must manage. These emerging threats evolve with global events, regulations, and market dependencies. Addressing them through structured vendor risk monitoring ensures a more resilient and forward-looking vendor management risk framework.

Geopolitical and Location Risk

Geopolitical instability, regional conflicts, and natural disasters can disrupt supply chains and vendor operations without warning.

Example: The COVID-19 pandemic and regional conflicts exposed the vulnerabilities of single-region sourcing and offshore dependencies, highlighting the risks associated with third party vendors operating in volatile regions.

Mitigation Measures:

• Diversify suppliers across multiple regions to reduce dependency.
• Include business continuity and geographic diversification requirements in contracts.
• Conduct periodic risk assessments that factor in local political and environmental conditions.

Organizations should treat location risk as part of vendor risk monitoring and business continuity planning rather than a separate contingency.

Concentration Risk

Concentration risk occurs when too much reliance is placed on a single vendor or small cluster of vendors that deliver critical services. This often overlaps with other types of vendor risk, including operational and financial exposure.

Example: Dependence on a single cloud service provider for multiple systems can create a single point of failure if an outage or compromise occurs.

Mitigation Measures:

• Identify overreliance through a vendor risk assessment that maps all vendor relationships.
• Implement vendor diversification and establish backup suppliers for essential processes.
• Monitor vendor performance and contract renewals to avoid hidden dependencies.

Reducing concentration improves agility and strengthens the overall vendor management risk profile of the organization.

ESG and Ethical Risk

Environmental, Social, and Governance (ESG) standards are now central to sustainable vendor management. Vendors that engage in unethical or non-compliant practices create reputational risks and regulatory exposure.

Example: A vendor found using forced labor or violating environmental regulations can cause legal and brand damage to all associated business partners.

Mitigation Measures:

• Require suppliers to adhere to ESG policies and codes of conduct.
• Use ESG scorecards and third-party monitoring to track compliance.
• Conduct due diligence during onboarding and renewals to verify ethical practices and prevent future vendor management risk.

Embedding ESG oversight into vendor risk monitoring helps organizations align operational resilience with corporate responsibility.

Tools and Frameworks for Vendor Risk Monitoring

Continuous oversight requires both structure and scalability. Shared Assessments offers industry-recognized tools that help organizations operationalize vendor risk management (VRM) and maintain oversight throughout the vendor lifecycle.

Industry-Recognized Tools

• Standardized Information Gathering (SIG) Questionnaire: The SIG enables consistent evaluation of vendors’ cybersecurity, compliance, and operational controls. It provides detailed insights into security practices, helping risk teams assess and compare vendors efficiently.
• Third Party Service Inherent Risk Rating (TPSIRR): The TPSIRR helps identify and prioritize vendors based on their exposure level and business impact. By defining risk categories early, organizations can apply the right level of due diligence to high-risk vendors.
• Vendor Risk Management Maturity Model (VRMMM): The VRMMM benchmarks a company’s third-party risk management maturity across governance, oversight, and monitoring. It helps senior management identify gaps and create a roadmap toward a more robust program.

Conclusion: Building Resilient Vendor Relationships

Understanding and addressing the types of vendor risk is essential for building a secure and sustainable vendor ecosystem. A mature vendor risk management program not only reduces exposure but also strengthens trust, compliance, and operational stability.

Shared Assessments provides proven frameworks and tools to help organizations achieve this resilience. Explore the SIG Questionnaire, Inherent Risk Rating, and VRMMM to advance your vendor oversight and protect against the evolving landscape of third-party risk. Explore membership to access peer insights and program maturity resources.

FAQs on Types of Vendor Risk

What are the main types of vendor risk?

The six primary categories are cybersecurity, compliance, operational, reputational, financial, and strategic risk. Each should be continuously assessed and mitigated through structured vendor risk management practices.

What emerging risks should organizations monitor?

In addition to the core six, organizations should track geopolitical, concentration, and ESG or ethical risks. These are gaining attention among regulators and industry leaders as critical components of third-party risk management.

Why is vendor risk monitoring important?

Continuous monitoring identifies risks associated with third-party vendors in real time, allowing organizations to take corrective action before small issues cause significant harm.

How can organizations mitigate vendor management risk?

Mitigation requires layered actions: risk assessments, inherent risk ratings, contract clauses, continuous monitoring, and the use of tools like the SIG Questionnaire and VRMMM.

How often should vendor risks be assessed?

Organizations should conduct onboarding assessments for all vendors, perform full reviews annually, and carry out quarterly reviews for high-risk vendors or those providing critical services.

The post Types of Vendor Risk and How to Mitigate Them appeared first on Shared Assessments.

SIG EV: A Cloud-Based Platform for Modern TPRM Teams

For nearly two decades, the Standardized Information Gathering (SIG) Questionnaire has set the benchmark for third-party risk assessments. Trusted by organizations across every industry, the SIG has streamlined due diligence, strengthened vendor oversight, and unified the language of risk.

Now, Shared Assessments is taking the next major step forward—transforming the gold standard in third-party risk assessments into a secure, cloud-based Software-as-a-Service (SaaS) platform designed for today’s fast-moving Third-Party Risk Management (TPRM) teams.

From Excel to SaaS: Simplifying the Assessment Experience

The SIG Workbook has long provided unmatched flexibility and depth—but managing complex Excel files, version control, and macros can slow down even the most efficient programs. The new SaaS-based SIG eliminates those challenges by bringing the full power of the SIG into a modern, intuitive web interface.

From creating and comparing assessments to grading responses and generating reports, the new platform provides a clean, easy-to-use environment that simplifies every step.

Key Capabilities

The first release, targeted for early 2026, delivers the essential features TPRM teams need to accelerate and modernize their workflows, while laying the foundation for future automation and integrations.

✔ Intuitive Web Interface: Create, compare, and grade assessments through a guided, browser-based workflow that keeps everything organized and accessible.

✔ Collaboration Made Simple: Securely distribute assessments to vendors or suppliers using one-time access links with automatic expiry—no portal required.

✔ Dashboard Visibility: Monitor assessment status, overdue responses, and grading progress in real time with built-in dashboards and analytics.

✔ Streamlined Validation: Upload, compare, and verify vendor responses directly within the platform.

✔ Role-Based Access and SSO: Ensure appropriate access for every role—from Operations Managers to Compliance Reviewers—backed by Single Sign-On through the Shared Assessments website.

Built for Security and Scalability

The SaaS SIG is hosted on Microsoft Azure, configured to meet Shared Assessments’ strict internal security and IT standards. It also integrates seamlessly with internal BI dashboards, Google Analytics, and the SIG API for licensed content distribution—ensuring both security and scalability from day one.

A Foundation for the Future

While the SIG EV v1 focuses on core functionality, it sets the stage for expanded capabilities in future releases, including full vendor portals, advanced workflow automation, and direct GRC platform integrations.

This evolution marks the beginning of a new era for Shared Assessments members—one where assessments are easier to build, faster to complete, and smarter through AI-enabled insights.

Stay Tuned & Connected

SIG EV will enter its beta-testing phase in December, with full availability expected in early 2026. Stay tuned for updates, previews, and opportunities to experience the platform firsthand.

Shared Assessments is proud to continue its mission: empowering organizations to assess, manage, and mitigate third-party risk—now with the power, speed, and intelligence of the cloud.

The post SIG EV: The Cloud-Based Evolution of the SIG for Modern TPRM Teams appeared first on Shared Assessments.

Cybersecurity frameworks are the foundation of effective risk management. They help organizations protect sensitive data, maintain compliance, and build trust with stakeholders. Two of the most widely recognized are NIST (National Institute of Standards and Technology) and ISO (International Organization for Standardization).

While both provide structured approaches to managing cybersecurity risk, they differ in scope, applicability, and implementation. Understanding these differences is essential to selecting the right framework for your organization.

According to a Perforce study, 54% of organizations experience data breaches due to non-compliance. Choosing the right framework and applying it consistently can help reduce this risk and strengthen your overall security posture.

Overview of NIST and ISO Frameworks

NIST (National Institute of Standards and Technology)

NIST is a U.S. government agency that develops standards and best practices to improve cybersecurity across both federal and private-sector organizations. Its frameworks are known for being detailed, prescriptive, and highly actionable.

Common NIST Frameworks:

• NIST 800-53: Security and privacy controls for federal information systems.
• NIST 800-171: Protection of Controlled Unclassified Information (CUI) in non-federal systems.
• NIST Cybersecurity Framework (CSF): A voluntary guide to help organizations assess and improve their cybersecurity programs.

Together, these frameworks form a comprehensive toolkit for managing cyber risk, whether an organization operates within the federal ecosystem or the private sector.

ISO (International Organization for Standardization)

ISO develops globally recognized standards that provide a flexible, principle-based approach to information security. These frameworks focus on establishing repeatable, risk-based processes that can adapt to any industry or geography.

Key ISO Standards:

• ISO 27001: Establishes an Information Security Management System (ISMS).
• ISO 27002: Offers best practices for implementing security controls within an ISMS.

ISO standards are ideal for organizations seeking a consistent, globally accepted approach to cybersecurity governance.

Key Differences Between NIST and ISO

Both frameworks aim to reduce cyber risk — NIST through detailed implementation, and ISO through flexible, scalable standards.

NIST Cybersecurity Framework (CSF) and Maturity Model

The NIST Cybersecurity Framework (CSF) helps organizations identify, protect, detect, respond to, and recover from cyber threats. It also includes a Maturity Model that defines the progression toward cybersecurity resilience:

• Partial (Initial): Reactive, ad hoc security practices.
• Risk-Informed: Some risk management processes established.
• Repeatable: Policies and controls are consistently applied.
• Adaptive (Optimized): Continuous improvement and proactive resilience.

Advancing through these maturity levels enables organizations to strengthen their cybersecurity posture over time.

Achieving NIST CSF Alignment

To align with NIST CSF, organizations should:

1. Assess current cybersecurity posture – Identify strengths and gaps.
2. Implement recommended controls – Apply NIST guidance across key functions.
3. Continuously monitor and improve – Maintain resilience as threats evolve.

When to Choose NIST vs. ISO

Choose NIST if you:

• Operate primarily in the U.S. or work with federal agencies.
• Require detailed, prescriptive security guidance.
• Handle Controlled Unclassified Information (CUI) or other regulated data.

Choose ISO if you:

• Operate globally and need international recognition.
• Prefer a flexible, risk-based framework.
• Seek ISO 27001 certification for credibility with customers and partners.

Many organizations integrate both frameworks — using NIST for technical rigor and ISO for global consistency.

How Shared Assessments Supports Framework Alignment

Managing multiple frameworks can be complex. Shared Assessments provides the tools and expertise to help organizations navigate compliance efficiently and confidently.

• Standardized Information Gathering (SIG) Questionnaire: The SIG maps to NIST, ISO, HIPAA, GDPR, and other leading standards, streamlining third-party risk assessments. Updated annually, it covers 21 Critical Risk Domains, ensuring comprehensive coverage of cybersecurity, compliance, and operational risk.
• Guide to Risk Domains: An essential resource outlining the 21 domains organizations must assess to maintain robust cybersecurity and compliance programs.
• Certified Third Party Risk Professional (CTPRP) Certification: The CTPRP helps risk professionals deepen their expertise in third-party risk management and stay current in an evolving regulatory landscape.
• Collaborative Industry Thought Leadership: Through our committees, working groups, and resources, Shared Assessments connects industry leaders to advance best practices in third-party risk management.

Building Resilience Through Frameworks

Compliance isn’t just about meeting requirements; it’s about building resilience and trust. Whether your organization aligns with NIST, ISO, or both, Shared Assessments can help you strengthen your cybersecurity and risk management strategies.

Connect with our team to learn how Shared Assessments can support your organization in achieving robust, framework-aligned compliance.

The post NIST vs. ISO: What’s the Difference? appeared first on Shared Assessments.

Modern organizations operate through a complex web of vendors, suppliers, contractors, and service providers. These partnerships enable innovation, efficiency, and growth, but they also expose companies to new layers of risk that can affect finances, reputation, and regulatory standing.

That is why third-party due diligence is essential. A structured due diligence program helps organizations identify and address legal, operational, and cybersecurity risks before they escalate. This guide outlines the key elements of third-party due diligence, best practices for implementation, and how Shared Assessments can help strengthen your approach to effective Third-Party Risk Management (TPRM).

What is Third-Party Due Diligence?

Third-party due diligence is the process of evaluating external vendors, partners, or suppliers to assess potential risks before and during a business relationship.

Organizations perform third-party due diligence to meet regulatory expectations, manage reputational exposure, and safeguard data. Regulations such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Anti-Money Laundering (AML) laws require companies to know who they’re doing business with.

The Foreign Corrupt Practices Act (FCPA) adds another layer of scrutiny as data show that roughly 90% of FCPA enforcement actions involve third-party intermediaries such as agents or distributors (White & Case Global Survey). This highlights the importance of thoroughly vetting and continuously monitoring third-party relationships.

Beyond compliance, due diligence helps protect brand reputation and customer trust by identifying unethical practices early and ensuring vendors maintain strong cybersecurity standards. A structured due diligence program reduces financial losses, regulatory penalties, and operational disruptions.

Understanding Third-Party Risks

Third-party risks refer to the potential threats and vulnerabilities that arise from a company’s relationships with external vendors, suppliers, and partners. These risks can significantly impact a company’s reputation, financial stability, and compliance with regulatory requirements. Understanding third-party risks is crucial for effective risk management and mitigation.

There are several types of third-party risks, including:

• Cybersecurity risks: The risk of a data breach or cyber attack through a third-party vendor or supplier. With increasing cyber threats, ensuring that third parties have robust cybersecurity measures is essential.
• Compliance risks: The risk of non-compliance with regulatory requirements, such as anti-money laundering (AML) and know-your-customer (KYC) regulations. Non-compliance can lead to severe penalties and legal issues.
• Operational risks: The risk of disruptions to business operations due to third-party failures or inefficiencies. This can affect the supply chain and overall business continuity.
• Reputational risks: The risk of damage to a company’s reputation due to third-party actions or behaviors. Negative publicity or unethical practices by third parties can tarnish a company’s image.

To manage third-party risks, companies should implement a robust due diligence process that includes:

• Conducting thorough background checks on third-party vendors and suppliers.
• Assessing the third party’s business relationships and potential conflicts of interest.
• Evaluating the third party’s compliance with regulatory requirements.
• Monitoring the third party’s cybersecurity practices and protocols.
• Establishing clear contractual obligations and expectations.

By understanding and addressing these risks, companies can protect their assets, maintain regulatory compliance, and safeguard their reputation.

Key Objectives of Third-Party Due Diligence

The primary goals of third-party due diligence include:

• Protect company assets and reputation by avoiding relationships with unethical or financially unstable vendors.
• Ensure regulatory compliance across global and industry-specific standards.
• Reduce cybersecurity risks through ongoing evaluation of vendors’ security measures.

Failing to conduct proper due diligence can result in legal liabilities, financial losses, and regulatory penalties, making it an essential part of any risk management strategy.

Key Components of an Effective Due Diligence Process

An effective third-party due diligence process begins with identifying and assessing prospective third parties before forming business relationships. It typically includes the following components:

Risk Assessment

Before engaging with a third party, organizations must determine the level of risk associated with the relationship. Companies can:

• Categorize vendors based on risk factors (e.g., financial stability, regulatory compliance, cybersecurity measures).
• Use risk matrices and frameworks to prioritize due diligence efforts based on risk exposure, including understanding a third party’s business relationships to assess potential conflicts of interest.
• Implement risk tiering as higher-risk vendors require deeper investigations and ongoing monitoring.

Background Checks and Continuous Monitoring

Conducting background checks ensures that vendors have a strong financial and legal standing. This includes:

• Financial health assessments to evaluate solvency and stability.
• Legal history reviews to identify any past litigations, sanctions, or compliance violations.
• Ongoing monitoring to detect emerging risks and ensure continued compliance.

Assessing Data Security and Privacy

With cyber threats on the rise, companies must ensure that third parties adhere to strict data security and privacy standards. A due diligence process should include:

• Evaluating vendors’ data encryption and access control policies.
• Ensuring compliance with GDPR, CCPA, NIST, ISO, HIPAA, or other relevant regulations and frameworks.
• Assessing incident response plans to determine how vendors handle cybersecurity threats.

Compliance with Regulatory Standards

Organizations operate under a variety of legal and regulatory obligations, and it’s essential that third parties meet the same standards. Key examples include:

• General Data Protection Regulation (GDPR): Protects personal data privacy in the European Union.
• California Consumer Privacy Act (CCPA): Safeguards consumer data in California.
• Anti-Money Laundering (AML) laws: Prevent financial crimes and fraudulent transactions.
• Industry standards and frameworks: Guidelines such as NIST and ISO help define best practices for cybersecurity, risk management, and operational resilience.

By incorporating these requirements into your due diligence process, you ensure that vendors and partners operate ethically, securely, and in compliance with applicable laws and standards to reduce legal, operational, and reputational risk.

Building a Due Diligence Program

A due diligence program is a systematic process for evaluating and managing third-party risks. Building a due diligence program requires a structured approach that includes the following steps:

1. Define the scope of the program: Identify the types of third-party relationships that require due diligence. This includes vendors, suppliers, contractors, and other business partners.
2. Establish a risk-based approach: Assess the level of risk associated with each third-party relationship. Higher-risk third parties may require enhanced due diligence.
3. Develop a due diligence framework: Create a framework for evaluating third-party risks, including criteria for assessment and evaluation. This framework should be standardized to ensure consistency.
4. Conduct due diligence: Gather and analyze information about the third-party vendor or supplier. This includes financial reviews, compliance checks, and cybersecurity assessments.
5. Evaluate and mitigate risks: Assess the risks identified during the due diligence process and implement mitigation strategies. This may involve negotiating contract terms or requiring additional safeguards.
6. Monitor and review: Continuously monitor the third-party relationship and review the due diligence process to ensure its effectiveness. Regular audits and updates to the due diligence program are essential.

A due diligence program should also include the following components:

• A clear policy and procedure for due diligence.
• A risk assessment framework.
• A due diligence questionnaire or template.
• A process for evaluating and mitigating risks.
• A system for monitoring and reviewing third-party relationships.

Best Practices for Conducting Third-Party Due Diligence

Building an effective due diligence program requires structure, collaboration, and ongoing attention. Key best practices include:

1. Standardize Your Framework
Use a consistent approach to assess every third-party relationship. This can include risk scoring, compliance checklists, and automated monitoring tools to ensure no critical steps are overlooked.

2. Leverage Technology
Automation can save time and improve accuracy. Real-time risk assessments, automated compliance checks, and continuous monitoring help reduce manual errors and administrative burden. Utilize tools like the Shared Assessments TPRM Product Suite to streamline these processes and improve overall risk visibility.

3. Collaborate Across Teams
Due diligence is most effective when multiple departments contribute their expertise. Legal, compliance, risk management, and IT/cybersecurity teams should all be involved in evaluating contracts, regulatory obligations, and data security practices.

4. Review and Update Regularly
Risk and regulatory landscapes evolve quickly. Regularly reassess vendors, update policies, and conduct audits to ensure your due diligence program remains effective and compliant.

Taking these steps ensures that your organization can identify potential risks early, protect sensitive data, and maintain compliance across the board.

Overcoming Challenges in Due Diligence

Due diligence can be a challenging and time-consuming process, especially when dealing with complex third-party relationships. Some common challenges include:

• Limited resources: Insufficient resources, including time, budget, and personnel, can hinder the due diligence process. Companies may struggle to allocate the necessary resources to conduct thorough evaluations.
• Complexity: Complex third-party relationships can make it difficult to identify and mitigate risks. Multiple layers of subcontractors and global operations add to the complexity.
• Lack of transparency: Limited visibility into third-party operations and practices can make it challenging to conduct effective due diligence. Third parties may be reluctant to share detailed information.
• Regulatory requirements: Evolving regulatory requirements can create challenges for companies seeking to comply with due diligence obligations. Keeping up with changes in laws and regulations requires continuous effort.

To overcome these challenges, companies can consider the following strategies:

• Leveraging technology: Utilizing technology, such as automation tools and data analytics, to streamline the due diligence process. Technology can help manage large volumes of data and provide real-time insights.
• Outsourcing: Outsourcing due diligence to specialized third-party providers. External experts can offer additional resources and expertise.
• Collaboration: Collaborating with other stakeholders, including business owners and risk managers, to share knowledge and expertise. A collaborative approach ensures a comprehensive evaluation of third-party risks.
• Training and awareness: Providing training and awareness programs for employees on due diligence best practices. Educating employees on the importance of due diligence and how to conduct it effectively is crucial.

Driving Trust in Third-Party Relationships

Shared Assessments is a trusted leader for Third-Party Risk Management (TPRM) tools and frameworks. Our member-driven community advances best practices and standards in a shifting third-party risk landscape, empowering practitioners to navigate their careers and build stronger TPRM programs. Shared Assessments tools and membership help organizations to:

• Streamline vendor evaluations
• Enhance regulatory compliance
• Improve risk visibility across supply chains

Strengthen Your Third-Party Due Diligence with Shared Assessments

To enhance your third-party risk management strategy, explore Shared Assessments’ comprehensive tools and resources:

✅ Certified Third Party Risk Professional (CTPRP) – A certification boot camp for experienced TPRM roles involved in the development, implementation and management of TPRM programs.
✅ Certified Third Party Risk Assessor (CTPRA) – A certification boot camp for experienced TPRM risk assessor roles involved in the planning, scoping and evaluation of a third-party’s control environment.
✅ Standardized Information Gathering (SIG) Questionnaire – The SIG allows organizations to build, customize, analyze, and store vendor assessments for managing third-party risk.
✅ Vendor Risk Management Maturity Model (VRMMM) – The VRMMM evaluates third-party risk programs against a set of comprehensive best practices and industry benchmarks.
✅ Third Party Service Inherent Risk Rating (TPSIRR) – The TPSIRR helps firms understand the inherent amount and types of identified risk posed by prospective third-party engagements and their potential impacts.

Ready to take the next step in strengthening your third-party due diligence efforts? Get in touch!

Frequently Asked Questions (FAQs) on Third-Party Due Diligence

What is the Due Diligence Process for Third Parties?

The due diligence process involves risk assessments, background checks, compliance verification, cybersecurity evaluations, and continuous monitoring.

When Should You Conduct Third-Party Due Diligence?

Due diligence should be conducted before entering a business relationship and periodically throughout the partnership to detect emerging risks.

What are the Red Flags for Third-Party Due Diligence?

Common red flags include financial instability, compliance violations, legal disputes, lack of cybersecurity measures, and poor data protection policies.

How to Do a Due Diligence Checklist?

A due diligence checklist should include risk assessments, financial reviews, compliance verification, security evaluations, and ongoing monitoring.

What are 3 Examples of Due Diligence?

1. Regulatory due diligence – Ensuring compliance with laws like GDPR.
2. Financial due diligence – Assessing a vendor’s financial stability.
3. Cybersecurity due diligence – Evaluating data protection practices.

The post Essential Guide to Effective Third-Party Due Diligence Practices appeared first on Shared Assessments.

Change is constant in third-party risk management (TPRM), but the past few years have seen accelerated change velocities. Artificial intelligence (AI) has been a big part of that. AI is becoming an important tool to make TPRM programs more efficient while simultaneously improving risk management outcomes. At the same time, an increasing number of outsourcers recognize that AI may be an important source of additional risk when vendors do not have sufficiently mature artificial intelligence oversight capabilities within their own organizations. That risk is multiplied through today’s increasingly complex chains. Because third parties anchor supply chains, the contracts and due diligence processes that outsourcers structure with their vendors are more important today than ever.

5 Key TPRM Trends for 2025

EY recently released its annual Global Third-Party Risk Management Survey which highlights  key trends, top concerns, and notable changes in third party risk management. Here are some of the top takeaways.

1. Data analytics tops technologies currently in use.

The most widely used TPRM technology is data analytics. Nearly half of the respondents are using data analytics for use cases such as sourcing and planning, risk/control assessment facilitations, and digesting external data. Data analytics are used more consistently across TPRM program components than any other reported technology. And around a third of respondents are planning to invest even more in data analytics in the coming years. Although only a small percentage of survey respondents (8%) report having risk data and analytics deployed at scale today, that percentage is expected to soar within the next two years, when almost 40% expect scale operations.

2. AI and automation are growing in popularity.

The survey found that AI is being used most widely (46% of respondents) in the sourcing and planning TPRM functions, just a single percentage point behind the top used technology, data analytics.  And AI utility will grow significantly during the next two years. One of the main drivers of investment in AI and machine learning is to support enhanced due diligence and contract performance monitoring. Automation investment is driven in part by the desire to increase efficiency for due diligence functions amidst heightened risk management requirements.

While investment in generative AI in the next two years is expected to be lower than the broader AI category (32%), the technology is projected to grow in use by around 20-25% for most use cases. Performance monitoring, sourcing and planning, and reporting are the main functions where TPRM professionals see increasing potential for generative AI. Artificial Intelligence and Machine Learning were ranked second as a primary driver of investment in centralized TPRM programs in the latest survey.

3. Not surprisingly, Cybersecurity is the primary risk domain included in TPRM programs.

The survey reported that 58% of organizations include cybersecurity in their TPRM program, making it the most common risk focus. Considering how common cyberattacks have become in recent years and the high costs involved, that number still seems low.

Meanwhile, 28% of firms include AI risk due diligence in their programs today. Many organizations are still in the early stages of determining the best question sets and use cases to consider when evaluating AI risk.

4. Contractual terms are a growing approach to 4th and Nth-party (supply chain) risk.

Managing 4th and Nth-party risk in supply chains is a complicated but crucial component of modern TPRM. 64% of companies monitor 4th/Nth-party risk by validating a third party’s TPRM program and the risk assessment they perform on their third parties, making it the most common method.

Notably, 51% of outsourcers—a big jump up from 24% in 2022—include Nth party requirements in their contracts with third parties to ensure expectations “pass through” to subcontractors in supply chains. In the age of supply chain complexity, these contracts are growing more important, and those contract pass-through expectations will likely grow in the coming years.

5. Organizations struggle with a lack of internal coordination and communication.

As important as risk management is, TPRM programs often face internal resistance from business units that see it as a bottleneck. 83% of TPRM programs face difficulty with internal coordination and communication between the program and internal stakeholders, a top challenge.

Nearly as common, 82% of programs deal with the delays that robust TPRM practices can cause for internal relationships where timeliness matters. Business lines want to move fast, while risk management processes are perceived as taking too much time. Managing that internal conflict is a top concern for many TPRM programs.

Stay Informed and Prepared

Adaptability has always been a necessary skill in TPRM. Risk professionals must work to stay on top of changes in the risk landscape, as well as best practices for responding to them. EY’s research is a long-standing useful resource for tracking TPRM trends over time, and the survey is increasingly forward-looking to provide practitioners with a sense of what improvements peer organizations are considering. Shared Assessments’ committees are another. Committee meetings are a valuable opportunity to learn from your peers, as well as established experts in the industry. Check out the full list of Shared Assessments committees to see if one is right for you.

The post Five Takeaways From EY’s New TPRM Research appeared first on Shared Assessments.

Here’s what you can expect and how these updates make SIG smarter, sharper, and more aligned to today’s regulatory and risk realities. Stay connected for additional release details and updated guidance from Shared Assessments.

Expanded Content: Reflecting the Modern Risk Landscape

The SIG Workbook now includes references to newly relevant and rapidly maturing frameworks:

• ISO 42001 – Artificial Intelligence Management Systems: As AI rapidly reshapes industries, governance standards are evolving just as fast. The SIG now references ISO 42001, providing organizations a structured approach to responsible AI management, including oversight of AI lifecycle stages such as data collection, model training, deployment, and monitoring. This ensures organizations can assess third parties’ AI practices for fairness, transparency, and accountability.

• NIST SP 800-171 – Enhanced Data Privacy Mapping: The updated SIG incorporates more detailed mapping to NIST SP 800-171, improving its utility for companies managing Controlled Unclassified Information (CUI), especially those operating in or serving the Defense Industrial Base (DIB). The SIG now offers improved granularity in privacy controls, making it easier for organizations to evaluate a third party’s compliance posture against U.S. federal requirements.

• Business Resilience Council (BRC): Aligning the SIG framework with the BRC’s Operational Resilience Framework (ORF) broadens its coverage from post-event recovery to sustaining critical operations through disruptions. This alignment fortifies the SIG’s ability to anticipate, withstand, and adapt to challenges while actively reducing systemic risk and driving continuous improvement. Both frameworks are anchored in recognized industry standards, ensuring consistency, credibility, and interoperability across practices.

• ISO 27001 Annex A: To ensure consistency across frameworks, we aligned previous mappings with ISO 27001. The SIG’s content now reflects the latest ISO 27001:2022 updates, including the restructured Annex A controls. These updates introduce a modernized grouping of controls into categories such as organizational, people, physical, and technological—making it easier for users to assess a third party’s security control environment in line with today’s risk landscape. **Coming in October**

New Functionality: Designed for Real-World Use

The upcoming release introduces powerful usability enhancements based directly on member feedback:

SCA Scoping Modes: Lite, Core, and Detail

Scoping presets serve as starting points, allowing organizations to tailor their Standardized Control Assessment (SCA) based on the desired depth of review—from high-level overviews to comprehensive deep dives. This flexibility helps right-size due diligence efforts to fit the risk profile and relationship context. 

“Edit a SIG” – Now Even Smarter

• Color-Coding: Add color codes to questions and tabs to help prioritize internal reviews or designate ownership.
• Question/Tab Visibility Controls: Hide questions or tabs in a questionnaire for role-based or phased completion workflows.
• Restore Defaults: Easily revert color schemes and visibility to default settings for distribution or submission.
• Response Locking: Prevent changes after a questionnaire is marked complete—ensuring integrity in finalized assessments.

Hover Helpers Everywhere

Brief explanations will now appear when you hover over any framework, regulation, domain, or control family—bringing instant clarity without breaking focus. This feature will be available in the updated SIG, ESG SIG, and SCA. 

Building on a Proven Foundation

Since its inception, the SIG has been about unifying assessments, eliminating redundancy, and improving clarity between assessors and vendors. This release doesn’t reinvent the wheel—it sharpens it for the road ahead. From increased flexibility in how the SIG is used to deeper alignment with emerging regulations, the September release reflects the growing complexity of third-party risk while keeping assessments clear, structured, and efficient.

Mark Your Calendar

Release Date: September 19, 2025 

Need help adopting the updated SIG? Visit sharedassessments.org/sig or book a demo with our team to explore training, integration support, and how to align your internal TPRM workflows with the new release.

The post Coming Soon: 2026 SIG Workbook: Key Updates and Enhancements appeared first on Shared Assessments.

I want to go a bit deeper into one of the most important steps not to miss: Identifying and engaging a leader who is passionate about risk management and committed to the success of your program.

Building a TPRM program requires a lot of work and resources. An executive champion can help ensure the process moves much more smoothly in a number of ways:

Serve As Your Internal Advocate

Having an influential ally in your organization by your side can significantly ease the process of advocating for the importance of third-party risk management. They can leverage their knowledge and persuasive abilities to help win over any doubters, and tap the relationships they’ve built to help you gain even more support. Moreover, they will understand the priorities of key decision-makers, helping you tailor your approach and design a program that aligns with goals that matter most to leadership, which increases your odds of earning their continued support.

Assist In Navigating Internal Politics

An executive champion ideally won’t just understand what the senior leadership in the organization thinks, they’ll also have a deep understanding of the larger dynamics of the business. The right executive champion will help secure buy-in from all the necessary departments in order to improve cross-functional collaboration and reduce the bottlenecks silos so often cause. And if you encounter someone in the organization resistant to TPRM, an executive champion can be invaluable in more effectively resolving issues and to helping you overcome pushback, paving the way for smoother implementation of the initiative.

Endorse Appropriate Resource Allocation

Like any other initiative, your TPRM program won’t get far without resources. An executive champion can lobby for and endorse the allocation of funding, personnel, and technology, ensuring your program’s sustainability and ability to evolve. With an executive champion on your side, you’ll have an easier time nimbly making changes as new risks, challenges, and opportunities arise.

Foster A Risk Aware Culture

Having a TPRM program is a good start for identifying and reducing risk, but what will really produce better results in risk management is having an entire business culture that’s invested in it. If someone at the top (or reasonably high up in the org chart) is passionate about risk management, their enthusiasm can inspire others. They can infuse the company’s larger policies and priorities with a risk mindset that makes your job easier.

How To Identify Your Executive Champion

Understanding the value of an executive champion may be a lot easier than finding the right champion within your organization. If you’re lucky, your leadership team will understand the value of risk management practices and will be happy to support your efforts. If not, you may be able to find risk-minded supporters in less obvious places such as audit, legal, finance, or even a line of business!

In other words, you may need to look beyond job titles or positions in trying to find the right champion and instead try to identify who in the organization has a passion for risk management. If you have a mentor or colleagues who you know value risk awareness, ask for recommendations or introductions to people they think could help.

It may take some political maneuvering to find and convince the right people to support the program, but with a leader in the organization willing to champion your efforts, the entire process will be smoother and more successful.

Join Us In The Foundations Committee

Want more great information on building a successful TPRM program? Join our Foundations Committee to gain valuable insights and meet other TPRM professionals early in their careers.

The post Building Strategic Alliances: Advocating for Your TPRM Program through Executive Sponsorship appeared first on Shared Assessments.

The General Data Protection Regulation (GDPR) is one of the most significant data privacy laws in the world, affecting businesses that collect and process personal data. Whether you’re operating within the European Union (EU) or handling EU residents’ data from another country, GDPR compliance is essential to protect user privacy and avoid hefty fines. A GDPR compliance checklist is a crucial tool for businesses to navigate the complexities of GDPR compliance, helping them assess their compliance status, manage personal data responsibly, and mitigate risks associated with data breaches and non-compliance penalties. 

In this guide, we’ll break down what GDPR compliance entails, who it applies to, and the steps businesses need to take to align with the regulation.

What is GDPR Compliance?

GDPR compliance refers to adhering to the EU General Data Protection Regulation, which governs how organizations collect, process, and store personal data. The regulation is designed to:

• Safeguard personal data by enforcing strict security measures
• Ensure transparency about how businesses use customer data
• Empower individuals to control their personal information

Compliance also necessitates proactive measures, such as conducting a Data Protection Impact Assessment (DPIA), particularly when processing sensitive data.

Failure to comply with GDPR can result in severe penalties, with fines reaching up to €20 million or 4% of annual global revenue—whichever is higher. (Data according to gdprinfo.eu)

What is Considered Personal Data Under the EU GDPR?

GDPR defines personal data as any information related to an identifiable person. This includes:

• Direct identifiers: Names, email addresses, phone numbers
• Indirect identifiers: IP addresses, location data, and online behavior
• Special categories of data: Health records, biometric data, racial or ethnic origin, religious beliefs, and sexual orientation, which require extra protection

Understanding personal data processing is essential to ensure lawful and responsible handling of personal data, ultimately building trust with users and enhancing brand reputation.

Who Does the GDPR Apply To?

The GDPR has a broad reach, applying to:

1. EU-based organizations processing any personal data
2. Non-EU organizations that collect, store, or process data of EU residents (e.g., a U.S. e-commerce company selling to customers in Germany)

 GDPR compliance is mandatory for organizations that process the personal data of individuals residing in the EU, regardless of where their company is located.

Data Controllers vs. Data Processors: What’s the Difference?

GDPR distinguishes between:

• Data Controllers – Determine the purpose and method of processing personal data
• Data Processors – Handle data on behalf of a controller

 Both controllers and processors must adhere to strict data protection obligations and can be held accountable for non-compliance. Controllers are responsible for ensuring that their processors comply with GDPR, making robust vendor risk management and due diligence essential.

Data Mapping and Inventory

Conduct Data Mapping to Understand Data Flows

Data mapping is a crucial step in understanding how personal data flows through an organization. It involves creating a visual representation of the data flows, including the sources, storage, and processing of personal data. This helps organizations identify potential risks and vulnerabilities in their data processing activities.

To conduct data mapping, organizations should follow these steps:

1. Identify the types of personal data collected, processed, and stored: Start by cataloging all the personal data your organization handles. This includes direct identifiers like names and email addresses, as well as indirect identifiers such as IP addresses and location data.
2. Determine the sources of personal data: Identify where the data comes from, whether it’s collected directly from data subjects, obtained from third parties, or generated internally.
3. Map the data flows: Create a visual representation of how personal data moves through your organization. This includes how data is transmitted, where it is stored, and how it is processed.
4. Identify the data processors and data controllers involved: Determine who is responsible for the data at each stage of its lifecycle. This includes both internal teams and external partners.
5. Assess the risks and vulnerabilities: Evaluate the potential risks associated with each data processing activity. This includes identifying any weak points in your data protection measures.

By conducting data mapping, organizations can better understand their data processing activities and identify areas for improvement to ensure GDPR compliance. This proactive approach helps safeguard personal data and mitigate potential risks.

Data Subject Rights

Provide Data Rights Provision

The GDPR provides data subjects with several rights, including the right to access, rectify, erase, restrict processing, object, and data portability. Organizations must provide data subjects with these rights and ensure that they are able to exercise them easily.

To provide data rights provision, organizations should follow these steps:

1. Implement a data subject access request (DSAR) process: Establish a clear process for handling requests from data subjects. This includes verifying the identity of the requester and responding within the required timeframe.
2. Provide clear and concise information: Ensure that data subjects are informed about their rights and how to exercise them. This information should be easily accessible, such as in your privacy policy.
3. Facilitate access and rectification: Make it easy for data subjects to access their personal data and request corrections if needed. This can be done through user-friendly online portals or dedicated support teams.
4. Implement a process for erasing personal data: When a data subject requests the deletion of their data, ensure that it is promptly and securely erased from all systems.
5. Restrict processing upon request: If a data subject requests to restrict the processing of their data, ensure that this is implemented without delay.
6. Provide the right to object and data portability: Allow data subjects to object to certain types of processing and to request the transfer of their data to another organization.

By providing data rights provision, organizations can ensure that they are respecting the rights of data subjects and complying with the GDPR. This not only builds trust with customers but also helps in avoiding potential fines and penalties.

International Data Transfer

Ensure Compliant International Data Transfer

The GDPR regulates the transfer of personal data outside the European Union (EU) and the European Economic Area (EEA).  Organizations must comply with GDPR when transferring personal data internationally. To ensure a compliant transfer, they should follow these steps:

1. Determine the destination country: Identify the country or countries to which personal data will be transferred. This is crucial as different countries have varying levels of data protection.
2. Assess the level of protection: Evaluate the data protection measures in place in the destination country. This includes understanding the local data protection laws and any adequacy decisions by the European Commission.
3. Use standard contractual clauses (SCCs) or binding corporate rules (BCRs): These legal tools help ensure that personal data transferred outside the EU is protected to the same standard as within the EU.
4. Implement additional safeguards: Enhance data protection by using measures such as encryption and pseudonymization. These techniques help protect personal data during transfer and storage.
5. Obtain consent from data subjects: Before transferring personal data internationally, ensure that you have obtained explicit consent from the data subjects. This consent should be informed and freely given.
6. Keep records of international data transfers: Maintain detailed records of all international data transfers. This includes documenting the legal basis for the transfer and any safeguards implemented.

By ensuring compliant international data transfer, organizations can avoid violating the GDPR and facing significant fines and penalties. This proactive approach helps maintain the trust of data subjects and protects personal data across borders.

10-Step Checklist to be GDPR-Compliant

To achieve GDPR compliance, businesses must follow a structured approach. Here’s a step-by-step checklist to guide you:

1. Know All of the Data Your Business Collects

Conduct a data audit to:

• Identify what personal data you collect
• Determine where and how it is stored
• Classify data as personal or sensitive

This helps ensure compliance with data minimization principles—only collecting what’s necessary.

2. Appoint a Data Protection Officer (DPO)

If your business processes large amounts of sensitive data, appointing a DPO is required. The DPO:

• Monitors GDPR compliance
• Conducts internal audits
• Advises on data protection best practices

3. Create a GDPR Diary

A GDPR diary (data processing log) tracks:

• Data collection purposes
• Legal bases for processing
• Retention periods

Keeping detailed records demonstrates accountability to regulators.

4. Evaluate Your Data Collection Requirements

Under GDPR, businesses must ensure they:

• Only collect necessary data
• Have a lawful basis for data processing
• Inform users why their data is being collected

5. Instantly Report Data Breaches

Organizations must report data breaches within 72 hours to authorities and, in some cases, affected individuals. A robust incident response plan is essential for compliance.

6. Be Transparent About Data Collection Motives

Businesses must provide clear privacy policies that detail:

• What data is collected
• How it is used
• Who it is shared with

Users should always be informed about their rights.

7. Verify the Ages of All Users Consenting to Data Processing Activities

GDPR mandates age verification for minors. Businesses must ensure:

• Parental consent for users under 16 (or the applicable age in EU countries)
• Age verification mechanisms to prevent non-compliant data collection

8. Include a Double Opt-in for All New Email List Sign-Ups

A double opt-in process ensures users explicitly consent before being added to mailing lists. This helps:

• Reduce spam complaints
• Strengthen compliance with GDPR’s consent requirements

9. Keep Your Privacy Policy Updated

Regularly review and update your privacy policy to reflect any changes in:

• Data collection methods
• Processing purposes
• Third-party relationships

Users must be notified of material changes to the policy.

10. Regularly Assess All Third-Party Risks

If your business works with third-party vendors, assess their GDPR compliance by:

• Reviewing Data Processing Agreements (DPAs)
• Conducting third-party audits
• Ensuring they follow GDPR security standards

Shared Assessments Helps Businesses Remain GDPR Compliant

Achieving and maintaining GDPR compliance is an ongoing process that requires continuous effort. Partnering with compliance experts ensures your organization meets the highest data protection standards while effectively mitigating risks.

At Shared Assessments, we support businesses by providing:

• Tailored Third-Party Risk Management Solutions: Our Standardized Information Gathering (SIG) Questionnaire enables organizations to build, customize, analyze, and store vendor assessments, streamlining the third-party risk assessment process. ​
• Data Governance Tools: Our Data Governance Products assist in identifying, tracking, and monitoring the use and disclosure of personal data to third and fourth parties, helping organizations address specific data protection obligations.
• Thought Leadership and Training: We offer resources and training courses to ensure continuous data protection and compliance and to adapt to evolving regulations and emerging risks.​ 

By leveraging tools like the SIG Questionnaire and Data Governance Products, organizations can enhance their data privacy strategies and maintain robust GDPR compliance.

Explore how Shared Assessments products, education, and membership can assist you in navigating the complexities of remaining GDPR compliant.

The post GDPR Compliance: A Step-by-Step Guide appeared first on Shared Assessments.

Everyone will encounter risk at some point, it’s an inevitable part of life. For those of us who work in risk management, each brush with adversity we experience doubles as a career lesson—and I’ve had my share over the years. Several pivotal moments in my life shaped my view on risk and led to the career I have today.

Early Experiences In Risk

I grew up in Oregon’s beautiful Willamette Valley, and much of my childhood was as idyllic as that sounds. But there are two major events that stand out in my childhood memory.

An Early Brush With Climate Risk

On Sunday May 18, 1980, Mount St Helens erupted. I was 7, so one of my main takeaways was that school was cancelled. But I also picked up on some of the more serious consequences by watching my parents’ response. My mom was worried about getting the groceries we would need to make it until stores opened back up. Longer term, agricultural areas downwind of the volcano faced crop losses impacting several produce markets.

My First Lesson In ESG (Environmental, Social, and Governance)

A few years later, a major environmental controversy unfolded in my area: the battle between conservationists concerned about the Spotted Owl and the logging industry. The owl was ultimately identified as a threatened species, leading to layoffs and economic hardships in our community, which extended to my family. The experience gave me an early glimpse into the complex balance between economic interests and environmental protection—an issue that’s still fresh today, though now we discuss it in terms of ESG impact.

Notable Events In A Risk Management Career

From my first years working up to the present day, I’ve seen several big events and trends that further highlighted the importance of risk management. Some memorable examples include:

Y2K

In 1999, in one of my first jobs at a global credit card company, I was recruited for a secret, special project. Only after signing a NDA (non-disclosure agreement), they revealed I’d be working on the company’s Y2K project. For those young enough to miss the Y2K panic, the goal was to update all technological systems to ensure they would work seamlessly even when the year switched to 2000 (which would be read as 00 by some systems). My involvement in that project impacted how I think about emerging tech risks.

9/11

We weathered Y2K only to encounter a more unexpected disaster in 2001 with 9/11. In the immediate aftermath, our call volumes soared as concierge teams faced emotionally charged conversations with customers seeking help with issues related to the attacks, like disrupted travel arrangements. In the following months, the event led to further disruptions as we saw critical staff leave their jobs due to fears of ethnic and religious discrimination, causing gaps in the company’s operational and IT capabilities.

Recent Trends In Risk Management

In over 20 years working in the credit card industry, I saw a number of industry trends bring new complexity and considerations to risk management work, such as:

• Growing number of vendors – As outsourcing grew in popularity in the late 1990’s and 2000’s, the need to understand and develop strategies for third-party risk management became more essential.
• Increasing regulatory requirements – At the same time, the industry faced an increase in regulations that we had to develop policies and processes to address.
• Pandemics – Years before COVID-19, the H1N1 virus had teams rethinking the requirements for pandemic plans.
• Climate – As natural disasters become more common, disaster recovery and business continuity planning has become increasingly essential.

Old Risks Help Prepare For New

A theme you may have noticed reading through my past experiences is how many relate to current issues. Mount St. Helen’s was an early glimpse of the kind of climate disasters that are more common now. H1N1 was a precursor to COVID-19, and the staff shortages wrought by COVID reminded me of losing critical staff after 9/11 due to the political climate. While all of these experiences brought challenges, each also provided nuggets of wisdom that proved valuable during later experiences.

What’s Next? 

Now, it’s your turn. Consider what events you’ve lived through that taught you something about assessing and prioritizing risk. How have your experiences helped prepare you for a risk management career?

For early-career risk professionals, learning from others’ experiences is invaluable—but you don’t have to do it alone. That’s why Shared Assessments is launching the Foundations Committee, a new opportunity designed to help risk professionals build connections, gain foundational education, and stay on top of current risk management trends. This committee will provide a space to discuss challenges, share insights, and develop the skills needed to tackle emerging risks with confidence.

If you’re looking to strengthen your risk management foundation and grow within a community of like-minded professionals, I invite you to join us. Let’s navigate the future of risk together.

The post A Life In Risk: How Experiences Have Shaped My Approach To Risk Management appeared first on Shared Assessments.

Geopolitical Realities and Global Resilience

The day opened with a compelling keynote from Heidi Grant, former Director of the Defense Security Cooperation Agency and a seasoned leader in global defense strategy. Framing the global landscape as a geopolitical chessboard, she illustrated how today’s conflicts, economic rivalries, cyber warfare, and climate volatility are no longer abstract risks—they’re operational realities. Grant emphasized the need for resilient, values-driven partnerships within third-party ecosystems, urging attendees to evolve their TPRM strategies in response to an increasingly volatile world.

The Promise—and Peril—of AI

In one of the day’s most forward-looking sessions, a panel of experts tackled how artificial intelligence and emerging technologies are fundamentally reshaping risk management. Moderated by Andrew Moyad, CEO at Shared Assessments, the panel featured:

• Katie Boswell, Securing AI Lead, KPMG
• Jonathan Dambrot, CEO, Cranium
• Konstantinos Karagiannis, Director Quantum Computing Services, Protiviti, Inc.
• Mark Wehrle, Director Cyber Risk & Awareness, The Campbell’s Company
  

Together, they moved past the hype to explore practical AI use cases—such as automated risk assessments, identification of material control gaps, and enhanced data flow management. The group emphasized the need for robust governance, transparency, and collaboration across teams, especially as AI moves from tools to autonomous agents. Their message: embrace innovation, but do so with clear oversight and intentional design.

Breakout Insights: Practical Paths to Progress

The afternoon breakout sessions were rich with tactical, actionable guidance tailored to every level of TPRM maturity:

• Certa, represented by Brian Shaw, presented a bold case for TPRM by exception, arguing that risk teams should stop managing everything and instead focus on the most critical issues. Their AI-driven approach surfaces only the risks that matter—freeing up time and maximizing impact.
• Black Kite, with insights from Bob Maley, challenged attendees to ditch the checkboxes in favor of continuous risk visibility. Their modern framework replaces static questionnaires with automation and scoring systems, streamlining workflows and enabling smarter decisions.
• ProcessUnity, led by Ed Thomas, introduced a data-first model that lightens the assessment burden by leveraging shared risk intelligence. By eliminating redundancy and tapping into existing data sources, teams can scale without stretching resources thin.
  
• BlueVoyant, represented by Joey Carter, outlined a lifecycle approach to TPRM. He demonstrated how cyber risk should be addressed throughout the vendor journey—from onboarding to offboarding—using automation and AI to make faster, more accurate decisions.

The Road to Standardization

One of TPRM’s most stubborn challenges—standardization—took center stage during an engaging panel moderated by Mark Orsi, CEO at Global Resilience Federation. He was joined by:

• Linnea Solem, CEO & Founder of Solem Risk Partners
• Dr. Angela Dogan, Associate Director | Security and Resiliency, Kyndryl
• Andrew Moyad, CEO of Shared Assessments

The panel acknowledged the difficulty of harmonizing frameworks across industries, but stressed its importance for scaling TPRM programs effectively. They emphasized that standardization doesn’t mean rigid uniformity—it’s about creating flexible, consistent structures that empower organizations to align on what matters most: transparency, accountability, and resilience.

Celebrating the Legacy and Looking Ahead

In honor of Shared Assessments’ 20th anniversary, CEO Andrew Moyad hosted a reflective panel to celebrate the organization’s impact and discuss what lies ahead. He was joined by:

• Cathy Allen, Founder and Chair of the Board, Board Risk Committee
• Tom Garrubba, Vice President and Sr. Manager for Security Policy & Governance, PNC
• Paul Kooney, Managing Director, Protiviti, Inc.

Together, they revisited the journey of building structure, trust, and credibility within a once-fragmented field. Looking forward, they agreed that the next 20 years of third-party risk management will demand even more agility, collaboration, and leadership—with Shared Assessments continuing to lead the charge as a trusted industry guide.

Final Takeaways:

• Geopolitics is no longer a background risk—it’s front and center.
• AI is both a disruptor and an accelerator—govern it with intention.
• Exception-based, data-driven TPRM is where the field is headed.
• Scalability comes from simplification and collaboration.
• Shared values and resilient partnerships will define the future.

As the Summit came to a close, one message resonated across every keynote, panel, and breakout: third-party risk management is no longer just a compliance function—it’s a strategic imperative. And, thanks to the collective insights shared over the past two days, attendees are better equipped than ever to lead their programs with confidence, clarity, and purpose.

Thank You

We extend our deepest gratitude to the outstanding speakers who shared their expertise, the engaged attendees who enriched our discussions, and the sponsors whose generous support made the Shared Assessments 18th Annual To Boldly Go Third Party Risk Summit a remarkable success. Your collective contributions have propelled the conversation on third-party risk management forward.​

A special acknowledgment to our sponsors:​

• Platinum Sponsors: ​OneTrust
• Gold Sponsors: ​Black Kite, BlueVoyant, Certa, ProcessUnity
• Exhibitors: Coverbase, Cranium, Mirato, Mitratech, Whistic, Vanta

Your support has been invaluable in making this event possible.​ Thank you for being an integral part of this journey. We look forward to continuing our collaboration and advancing the field together.

The post Day 2 Recap – Shared Assessments Summit 2025: From Reflection to Reinvention appeared first on Shared Assessments.

With engaging keynotes, in-depth panel discussions, and hands-on practitioner tracks, Day 1 offered risk professionals a powerful combination of strategy, innovation, and practical tools. Here’s what stood out.

Cloud Risks and the Shared Responsibility Mindset

The day’s early panels highlighted the evolving risk realities of cloud-first ecosystems. As organizations migrate infrastructure and workloads to the cloud, many assume that security is built-in. But panelists urged attendees to rethink that assumption: cloud security is a shared responsibility, and too many breaches still result from misconfigurations and poor hygiene.

The session explored how organizations must proactively monitor their use of the cloud, not just the providers themselves. AI also took center stage, both as a defense tool and a growing threat, forcing risk leaders to plan for adversaries using the same tools they’re adopting for protection​.

Navigating the Global Regulatory Frontier

A session on post-DORA and NIS2 compliance brought clarity to the fast-changing global regulatory landscape. With new frameworks emerging in Europe, evolving expectations in the U.S., and fresh AI governance efforts worldwide, organizations are being challenged to harmonize their risk programs across fragmented jurisdictions.

Rather than default to a “strictest standard wins” approach, panelists advocated for flexible, principles-based frameworks tailored to business impact. The message was clear: compliance must be integrated into operational resilience—and done in a way that supports the business, not slows it down​.

Automation: Why Wait?

In the spirit of the Summit’s theme, another session encouraged attendees to boldly automate. TPRM teams today are expected to do more with fewer resources—and automation, paired with AI, is stepping up to meet that challenge.

From scanning SOC reports to flagging high-risk vendors, automation is already being used to compress assessment timelines and expand program reach. But adoption depends on trust: AI must be explainable, accurate, and auditable. The takeaway? Automation isn’t a future state—it’s the current baseline for scalable third-party risk programs​.

Future-Proofing the Most Critical Vendors

A cornerstone panel focused on future-proofing critical third-party relationships—a timely topic as geopolitical instability, data localization rules, and service concentration risks grow.

Panelists explored how to define vendor criticality, embed controls during contracting, and apply continuous monitoring throughout the relationship lifecycle. They stressed that oversight doesn’t end at onboarding. It’s a continuous, collaborative effort—and must include real plans for vendor failure, termination, and data handoffs​.

Practitioner Track Highlights: Lessons from the Front Lines

The afternoon offered specialized tracks for practitioners looking to go deep on execution. Here are some highlights:

Building a Continuous Monitoring Ecosystem

The panel on Building a Continuous Monitoring Ecosystem emphasized the urgent need for third-party risk management (TPRM) programs to evolve from periodic assessments to real-time, continuous oversight. Panelists shared that while technology is crucial, true impact comes from aligning monitoring efforts with organizational priorities like operational continuity and regulatory exposure. Success requires prioritizing high-risk vendors, integrating diverse data sources, and fostering collaboration across teams. The session offered tactical advice, including starting small, using automation, and creating clear escalation protocols. Ultimately, continuous monitoring isn’t just a tool—it’s a mindset that enables proactive, scalable, and business-aligned risk management.

Managing Non-Traditional Vendors

The panel on managing risk for non-traditional vendors explored how third-party risk management (TPRM) must evolve to address relationships that fall outside traditional IT or data-driven categories. These vendors—such as facilities providers, legal advisors, and sub-advisors—may not handle sensitive data but still pose operational, reputational, or compliance risks. Panelists emphasized the importance of broadening the definition of a third party and tailoring oversight based on the nature and impact of each vendor’s role. Strategies included using contextual assessments, updating classification frameworks, and fostering cross-functional collaboration. Ultimately, the session highlighted the need for right-sized, flexible, and inclusive TPRM strategies that balance efficiency with effective risk control.

Engineering Smarter Vendor Contracts

The panel on engineering vendor contracts for the future emphasized that third-party agreements must evolve from static legal documents into dynamic tools for risk management, resilience, and adaptability. Contracts should proactively address modern threats such as AI risks, cybersecurity, and shifting regulations by embedding flexible, scalable clauses and clearly defining responsibilities—especially in shared service models like cloud environments. Panelists advocated for automation in contract management to ensure consistency and uncover risk-related gaps, while stressing that governance and oversight remain crucial. Ultimately, future-proofing starts with the first draft: contracts must be designed to adapt, enforce accountability, and support strategic third-party risk management from day one.

Key Day 1 Themes:

• Adaptability is everything. Risk programs must be built to evolve—across tools, policies, and partnerships.
• AI is here. Whether enabling faster risk decisions or empowering threat actors, it’s no longer optional to understand and govern it.
• Risk is shared. From cloud security to vendor oversight, accountability must be clearly defined—and contractually enforced.
• Continuous means continuous. Annual reviews aren’t enough. Monitoring needs to be real-time, relevant, and scalable.
• The TPRM perimeter is expanding. Risk leaders are now responsible for a broader universe of vendors, services, and expectations.

Looking Ahead to Day 2

Day 2 of the Shared Assessments Summit continues the momentum with a compelling keynote on managing geopolitical risk, followed by a forward-looking panel on how AI and cutting edge technologies are reshaping risk management. Breakout sessions will offer practical strategies on streamlining assessments, embracing exception-based TPRM, and reducing risk across the vendor lifecycle. Attendees can also visit the Risk Launchpad for expert guidance on real-world challenges. The afternoon wraps with a celebration of Shared Assessments’ 20-year legacy and a panel on overcoming fragmentation to achieve greater standardization in third-party risk.

The post Day 1 Recap – Shared Assessments Summit 2025: To Boldly Go Into The Future of Third-Party Risk appeared first on Shared Assessments.

Established two decades ago, Shared Assessments has consistently been at the forefront of advancing TPRM practices. What began as a collaborative effort among financial services companies seeking standardized assessment frameworks has grown into an influential global organization shaping the very standards and methodologies that govern third party risk today. As we celebrate our 20th anniversary at this year’s Summit, we proudly reflect on past milestones, while recognizing industry leaders and visionaries who have significantly influenced our community’s practices and standards. Their collective vision and efforts have fostered collaboration across industries, leading to robust frameworks that are widely adopted across the industry.

This year, attendees will engage with thought leaders and industry experts across sessions designed to illuminate the future of risk management. Experts in risk management will discuss critical trends such as cloud security, regulatory compliance including emerging standards like DORA and NIS2, and the strategic use of artificial intelligence, quantum computing, and blockchain technologies. These sessions will offer not just insights, but also detailed forecasts on how evolving technologies and regulations might reshape third party ecosystems.

Practical breakout sessions offer actionable strategies, emphasizing automation, continuous monitoring, and the management of critical third party relationships. Panels will address geopolitical risk management, the complexities of global supply chains, and methods for harmonizing compliance across multiple jurisdictions. Real-world case studies and interactive workshops will empower attendees with tools and tactics they can immediately implement in their organizations.

Looking ahead, Shared Assessments remains committed to guiding organizations through the increasingly sophisticated landscape of TPRM, promoting standardization, and providing essential resources and frameworks. Join industry pioneers at the Summit to boldly chart the next era of Third Party Risk Management.

The post To Boldly Go: Charting the Future of Third Party Risk Management appeared first on Shared Assessments.

Imagine a world where your business depends on numerous external partners, each essential to your success yet also bringing potential risks into play. Third-party vendors are exactly that —external companies providing essential goods or services that help businesses operate more efficiently but also pose unique challenges. Properly understanding and managing third-party vendors is key to ensuring your organization remains secure, compliant, and resilient. Effective vendor risk management ensures smooth business operations and enhances operational efficiency by carefully monitoring business relationships and assessing vendors’ ability to meet contractual obligations.

Defining A Third-Party Vendor: What Is a Third-Party Vendor?

A third-party vendor is an external entity that provides goods and services to businesses. These vendors operate independently and play a critical role in the supply chain and delivery of resources, technology, and services. Organizations engage with third-party vendors for various reasons, including cost savings, access to specialized expertise, and the ability to scale business operations efficiently.

Assessing new vendors and conducting due diligence are crucial steps in managing third-party risks. These processes help identify, and mitigate cybersecurity threats and other vulnerabilities associated with outsourcing.

There are different types of third-party vendors, with the most common being suppliers, consultants, and IT service providers.

Examples of Third-Party Vendors

Examples of third-party vendors include:

• Suppliers: Companies that provide raw materials, components, or goods used in an organization’s production process.
• Contractors: Individuals or companies hired to perform specific tasks or projects for an organization.
• Service Providers: Companies that offer services such as IT support, consulting, or outsourcing.
• Business Partners: Companies that collaborate with an organization to achieve common goals or objectives.
• Affiliates: Companies that have a business relationship with an organization but are not directly controlled by it.

These third-party vendors can provide essential services and products, but they also pose unique risks to an organization’s security, compliance, and reputation. Effective third-party risk management (TPRM) is crucial for proactively managing risks, protecting businesses, maintaining compliance, and ensuring smooth operations.

Types of Third-Party Vendors

IT Service Providers

IT service providers offer a range of technology-related services that support business operations, efficiency, and security.

• Cloud Service Providers offer platforms and software solutions hosted remotely (in the “cloud”) and accessed over the internet rather than a physical on-site server. These vendors are essential for businesses across industries, providing tailored solutions for data storage, application management, and workload optimization. It is crucial to ensure that these providers protect sensitive information to maintain data security and compliance with rising regulations.
• Software Vendors, commonly referred to as “Software as a Service” (SaaS) providers, create and sell software products ranging from operating systems to industry-specific solutions. These vendors are critical for supporting organizations with productivity, security, data management, and efficiency.

Suppliers and Manufacturers

Suppliers and manufacturers provide raw materials or finished products that businesses need to operate. These vendors are critical to the supply chain, ensuring that businesses have the necessary resources for production and distribution.

Effectively managing third-party relationships is essential to reduce risks associated with suppliers and vendors, whose products or services can have a significant impact on a company’s operations.

Consultants and Professional Services

Consultants and professional service providers offer specialized knowledge and expertise, such as legal services, financial consulting, and risk advisory. These vendors help organizations navigate complex business challenges and maintain regulatory compliance.

Why Do Businesses Use Third-Party Vendors?

Businesses rely on third-party vendors for several reasons:

• Cost Savings – Outsourcing certain functions to vendors can reduce operational expenses.
• Access to Expertise – Vendors often have specialized knowledge and technology that businesses may not have in-house.
• Scalability – Third-party vendors help organizations quickly expand or adjust operations without significant internal investments.
• Efficiency – Leveraging vendors allows businesses to focus on core competencies while external partners handle non-core activities.

Addressing customer needs and risks is crucial in vendor management to ensure compliance and protect the interests of both the organization and its customers.

Vendor risk management is not only considered a best practice but also a regulatory requirement for many organizations. Failing to comply with regulations can expose organizations to various risks, including security breaches, legal liabilities, and financial penalties. By actively engaging in vendor risk management, organizations can protect sensitive data and ensure the integrity of their operations.

Key Differences between Vendors and Suppliers

While the terms “vendor” and “supplier” are often used interchangeably, there are key differences between the two. Understanding these differences is essential for effective third-party risk management (TPRM).

• Vendors provide finished goods or services directly to an organization for resale or operational use. Examples of vendors include software vendors, hardware vendors, and services vendors.
• Suppliers, on the other hand, provide essential specialized goods, services, or raw materials to an organization. Suppliers play a crucial role in an organization’s value chain and may be involved in the buyer’s supply chain.

In summary, vendors provide finished products or services, while suppliers provide raw materials, components, or services that are essential for an organization’s production or operational processes. Both vendors and suppliers pose risks to an organization, but the nature and scope of these risks differ. Effective TPRM requires understanding these differences and implementing appropriate risk mitigation strategies.

Risks Associated with Third-Party Vendors

While third-party vendors provide significant benefits, they also introduce potential risks.

Security Risks

Third-party vendors often handle sensitive data, making these parties prime targets for cyberattacks. Data breaches, malware infections, ransomware attacks, and unauthorized access to confidential information can have severe consequences. Businesses must ensure their vendors follow robust cybersecurity protocols to mitigate against these potential threats.

Compliance Risks

Engaging third-party vendors can impact regulatory compliance. Many industries have strict regulations, such as GDPR, CCPA, and HIPAA, that vendors must adhere to. Failure to comply with these standards can lead to legal consequences, financial penalties, and reputational damage.

Financial Risks

Vendor failures, contract disputes, or supply chain disruptions can have significant financial repercussions. Organizations must assess vendor financial stability and establish contingency plans to manage potential disruptions effectively.

Best Practices for Managing Third-Party Vendors

Implementing a strong vendor risk management program is essential to maintaining security and efficiency in business operations.

Establishing Clear Contracts

A well-defined contract outlines expectations, deliverables, compliance requirements, and risk mitigation strategies. Businesses should include service level agreements (SLAs) to hold vendors accountable.

Regular Performance Monitoring

Organizations should track vendor performance using key performance indicators (KPIs). Conducting regular reviews ensures vendors meet expectations and remain compliant with security and operational standards.

Conducting Regular Risk Assessments

Businesses should periodically evaluate vendor risk profiles and adjust risk management strategies accordingly. Continuous assessments help identify emerging threats and ensure vendors align with organizational goals.

When Should A Company Reevaluate Its Vendor Relationships?

Vendor relationships should be reviewed periodically to ensure alignment with business objectives. Companies should reevaluate vendors under the following circumstances:

• Changes in Business Strategy – A shift in company direction may require different vendor capabilities.
• Performance Issues – Vendors that fail to meet expectations or compliance requirements may pose risks.
• Regulatory Changes – New compliance mandates may necessitate vendor reassessments.
• Security Concerns – Any indication of a vendor’s cybersecurity vulnerabilities should prompt an immediate review.

Explore Shared Assessments’ Vendor Risk Management Solutions

Effectively managing third-party vendors requires a structured and proactive approach. Shared Assessments offers comprehensive Third Party Risk Management Solutions designed to help organizations effectively assess and manage the risks associated with their external vendors. Our flagship product, the Standardized Information Gathering (SIG) Questionnaire, identifies potential vulnerabilities and ensures that vendors meet required security and compliance standards. Shared Assessments’ solutions enable organizations to strengthen their risk management processes, enhance data protection, and improve vendor oversight.

Inquire Here

Have questions about vendor risk management? Contact Shared Assessments for expert guidance. Get in touch today.

The post Third-Party Vendors: Definition, Role & How They Impact Your Business appeared first on Shared Assessments.

About Shared Assessments Committees

Shared Assessments committees play a crucial role in shaping the industry’s approach to TPRM. Committees work to create and maintain best practices, frameworks and standards for effective TPRM programs. Additionally, committees proactively identify and address emerging risks and challenges in the third-arty ecosystem, such as cybersecurity threats, geopolitical risks, and supply chain disruptions. Committees provide a platform for Shared Assessments members to share knowledge and lessons learned with each other. By actively participating in these committees, our members contribute to the advancement of TPRM practices, gaining valuable insights and knowledge, while enhancing their own professional development.

New Foundations Committee

One of the most notable additions to Shared Assessments’ array of committees in 2025 is the Foundations Committee, designed specifically for those who are just starting out in third-party risk, have recently become practitioners, or desire a refresh by going “back to the basics”. The Foundations Committee will officially launch in April 2025, with registration opening in March 2025. This is your opportunity to get involved in a committee designed to help you learn, grow, and engage within the Shared Assessments community.

Participants in the Foundations Committee will learn by engaging in practical, skill-building activities that provide deep insights into real-world processes and risk management activities. This is an excellent starting point for those preparing for Shared Assessments certifications, offering a solid foundation to excel in studies and to prepare for exams. Foundations Committee will build confidence in practitioner ability to use a wide range of products and solutions, and leave participants better equipped to identify and manage third-party risks.

Contribute to the strength and cohesion of the Shared Assessments community. Build relationships with industry peers, share knowledge, and collaborate on initiatives that shape the future of third-party risk management. Become empowered to take on more responsibility in your career. Foundations Committee is ideal for those looking to immerse themselves in the fundamentals of third-party risk while preparing to make a greater impact within the industry.

New Committee Tier Structure

In 2025, Shared Assessments is introducing a new tiered structure for committee participation, designed to offer even more thought leadership opportunities to our valued members and subscribers while continuing to allow non-members to get a feel for the Shared Assessments community.

For Members Our members will enjoy full access to all committees within Shared Assessments listed below. Please find full committee details and descriptions here. 

For Product Subscribers Our active subscribers now have the opportunity to attend a select number of committees. Product Subscribers are eligible to attend:

For Non-Members For those in our TPRM community considering membership, we are offering one free year of the Best Practices Committee and the Foundations Committee. Join these groups to preview the benefits of a Shared Assessments membership.

Why Join Shared Assessments?

Shared Assessments is the leading organization in the third-party risk management space, providing valuable resources, networking opportunities, and thought leadership to professionals worldwide. With the introduction of the Foundations Committee and the updated committee structure, 2025 promises to be an exciting year of learning and professional growth.

If you are ready to build your career in third-party risk, join us as a member or subscriber, or take advantage of our non-member offer for one free year of committees. Together, we’ll continue to build a stronger, more resilient community focused on addressing the critical challenges in third-party risk management. Get involved today and shape the future of Third-Party Risk Management!

The post New Opportunities With Shared Assessments’ Committees appeared first on Shared Assessments.

Organizations typically depend on a tiered network of vendors, often extending beyond third party to Nth-party relationships to sustain their operations. To prudently manage the supply chain, organizations must effectively manage the vendor lifecycle, including:

• Establishing onboarding processes that align new vendors with the organization’s risk management expectations and foster a shared operating vision.
• Implementing enforceable contracts that set standards, hold suppliers accountable, and close accountability gaps.
• Evaluating critical supplier business continuity management (BCM) and disaster recovery (DR) plans to assess risk.
• Conducting operational resilience testing across the supply chain to assess supplier readiness and identify weaknesses.
• Implementing ongoing monitoring of the supply chain to quickly identify and respond to disruptions.
• Executing structured offboarding practices to safeguard organizational assets and sensitive information.

Effective supply chain resilience also requires strong, proactive communication and partnerships with vendors. By systematically measuring supplier performance and monitoring risks through metrics, organizations can identify gaps, monitor risk mitigation efforts, and align vendor operations with objectives. Additionally, these metrics facilitate clear reporting and collaboration across stakeholders. This paper provides examples of KPIs and KRIs, providing a foundation for organizations to develop metrics tailored to their specific needs.

This resource, the fourth in the Shared Assessments Global TPRM Practices Committee’s 2024 paper series, represents the work of the project team of SMEs who stepped forward to update this guide. The best practice solutions that have evolved over the past two decades are brought together and refined by the Global TPRM Best Practices Committee, that is open to members and non-members and currently has more than 260 registered individuals from 185 organizations spanning 15 time zones. If you would like to join, we’d love to have you. You can learn about our other committees at https://sharedassessments.org/committees/.

The full paper and Practitioner Guide are available for download here.

The post Effective TPRM Foundations: Building Business Continuity and Operational Resilience to Strengthen Supply Chains appeared first on Shared Assessments.

VRMMM is more than the sound of a Formula 1 race car at the starting line – it’s the preeminent benchmarking tool for risk management!

The Vendor Risk Management Maturity Model (VRMMM) helps organizations to assess the maturity of their third-party risk programs. The VRMMM offers a set of comprehensive best practices and industry benchmarks. Risk programs measure their organizations in comparison to these standards, gaining an understanding of requirements, risks, and how risks are managed across departments. Using the VRMMM, risk programs can plan projects, improvements and resource adjustments.

“The VRMMM is helping us to pinpoint and create a three-year road map for maturity which is incredible! I know many colleagues that have paid hundreds of thousands of dollars for current state and future state maturation road maps. The VRMMM has done that for us. We have been able to cherry-pick what works, what we think is more immediate, and what may be a future need.”

-VRMMM User, Major American Daily Newspaper

What’s New In The 2025 VRMMM?

Shared Assessments has introduced an “Interagency Guidance Gap Analysis” as an accompaniment to the 2025 Vendor Risk Management Maturity Model (VRMMM). This Gap Analysis is intended to be used as an active worksheet or a tool and guides organizations as they implement the Interagency Guidance released by the FDIC, FRB, and the OCC.

Connecting directly with the VRMMM, the Interagency Guidance Gap Analysis indicates questions or areas within the VRMMM organizations can focus on to remediate or to build out specific parts of their TPRM programs. The Interagency Guidance and Gap Analysis both perpetuate a risk-based approach, balancing risks with appropriate controls.

You can read more about the Interagency Guidance Gap Analysis here.

How Does The VRMMM Work?

The VRMMM works by breaking third-party risk down into eight categories and explores more than 250 program elements that should form the basis of a well-run third-party risk management program. VRMMM allows practitioners to:

• Adapt a program structure by type of outsourcer services and maturity level based on industry, organization size and risk tolerance
• Make informed decisions for resource allocation and vendor-related risk
• Establish a baseline against which to benchmark program maturity
• Use program governance as a foundational element for other risk program criteria
• Identify components that will deliver the highest organizational value
• Track program maturity over time to determine and communicate progress
• Identify areas for improvement

The VRMMM is broken down into three sections – Foundations, Operations, and Measurements.

VRMMM Foundation Section: Ready

The foundational section of the VRMMM focuses on the building of vendor risk management programs through defining objectives and goals. Foundations also covers the policies, standards, procedures, leading all the way up to contracts and vendor termination or exit procedures.

VRMMM Operations Section: Set

The secondary section of the VRMMM focuses on implementing vendor risk management programs. This section covers the breadth of TPRM operations, from the assessment process itself to communications and information sharing. It also provides an overview of the skills & expertise needed for performing the risk management motion.

VRMMM Measurements Section: Accelerate!

The final section of the VRMMM helps with optimizing vendor risk management programs, from Tools, Measurement & Analysis to Monitoring & Review.

Ready, Set, Accelerate Your Risk Management Program – Join Us To See How With The VRMMM

The VRMMM allows risk management programs to benchmark and plan, and ultimately to accelerate. I welcome you to join me and my colleague Jennifer Hancock (Senior Advisor, Shared Assessments) for our upcoming session on the VRMMM on November 13, 2024, 11:00am – 11:30am ET. Jennifer has implemented the VRMMM within many organization’s risk management programs as a consultant; our session will be use-case focused as we talk through how programs execute the VRMMM and use it within their programs. See you there!

The post A Roadmap For Maturity: Revving Up Risk Management appeared first on Shared Assessments.

Shared Assessments’ Standardized Information Gathering Questionnaire (SIG) is a valuable tool for achieving DORA (Digital Operational Resilience Act) compliance. The SIG provides a structured framework for assessing third-party risk. Shared Assessments 2025 SIG, to be released later this week, offers robust support of DORA standards through its mappings.

How The Standardized Information Gathering Questionnaire (SIG) Covers DORA

DORA places a strong emphasis on managing risks associated with third-party service providers. By ensuring these third parties meet robust security and resilience standards, organizations can significantly enhance their overall operational resilience.

The 2025 SIG Questionnaire is designed to evaluate various aspects of a third party’s risk profile, including:

• Cybersecurity: Assessing third party’s security controls and practices.
• Business Continuity: Evaluating third party’s ability to maintain operations during disruptions.
• Operational Resilience: Assessing third party’s capacity to withstand and recover from adverse events.

The 2025 SIG Questionnaire devotes a set of questions to DORA compliance across its various scoping levels:

• SIG Lite: 2 Questions
• SIG Core: 8 Questions
• SIG Detail: 47 Questions

The SIG provides a consistent methodology for assessing third-party risks, helping organizations identify and prioritize potential vulnerabilities. By covering a wide range of risk categories, SIG can help organizations identify risks that might not be apparent through other assessment methods. The SIG can be used to gather evidence of third-party compliance with various regulatory requirements, including those outlined in DORA.

By leveraging the forthcoming Shared Assessments 2025 SIG as part of a broader third-party risk management program, organizations can strengthen their third-party risk management practices and make significant progress towards DORA compliance.

What is DORA? 

DORA is an EU regulation that entered into force in January 2023 that will apply as of January 2025. It aims to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. As stated by European Insurance and Occupational Pensions Authority, DORA is meant to make sure “that the financial sector in Europe can stay resilient in the event of a severe operational disruption.”

DORA weaves together rules relating to operational resilience for the financial sector applying to numerous types of financial entities and ICT (Information and Communications Technology) third-party service providers.

The financial sector is increasingly dependent on technology to deliver its services – and may become even more so with the emerging role of Artificial Intelligence – which makes financial entities vulnerable to cyber-incidents. (Look no further than the 10 Biggest Breaches in Finance to understand that cybercriminals choose their targets based on maximum impact and maximum profit – the financial sector is disproportionately impacted.)

When not managed properly, ICT risks can lead to disruptions of financial services globally. In turn, this would impact other companies, sectors, and even the broader economy, which emphasizes the importance of the digital operational resilience of the financial sector.

6 Key Areas Covered By DORA

With 6 pillars relating to third-party security, DORA covers:

1. ICT risk management: Principles and requirements on ICT risk management framework
2. ICT third-party risk management: Monitoring third-party risk providers and key contractual provisions
3. Digital operational resilience testing: Basic and advanced testing
4. ICT-related incidents: General requirements and reporting of major ICT-related incidents to competent authorities
5. Information sharing: Exchange of information and intelligence on cyber threats
6. Oversight of critical third-party providers: Oversight framework for critical ICT third-party providers

Questions About DORA and the SIG?

As international liaisons for Shared Assessments, we specialize in Risk Management  We would welcome the opportunity to meet with you briefly to discuss how we can help your organization ith DORA compliance using the SIG.

The post DORA: Knocking On Risk Management’s Door appeared first on Shared Assessments.

Every year, Shared Assessments updates its tools for the third-party risk management lifecycle, including the Standardized Information Gathering (SIG) Questionnaire.

Our talented product team works alongside practitioners and industry experts within our member community to refresh SIG content based on emerging global risks, regulations, guidelines, and standards for a wide range of industries. Since its inception, the SIG has been made by risk management for risk management and remains the industry-standard.

“The SIG Questionnaire is the number one tool that everybody in Risk Management uses. No questions asked!”

What Does The 2025 SIG Questionnaire Do?

The SIG Questionnaire is used to evaluate the risk controls of an organization’s vendors and service providers. Using the SIG helps organizations cover a wide breadth of risk areas across their vendor portfolios. Some organizations use the SIG as a starting point, customizing the SIG to fit their specific assessment needs. Organizations also use the SIG to evaluate their internal risk management controls, often using the result to demonstrate their risk posture to their own prospective customers.

The SIG Manager is the engine of the SIG product, giving users the ability to perform various SIG operations. These operations include the scoping and configuration of SIG Questionnaires to send out to vendors.

The SIG Manager provides two pre-configured questionnaires (the SIG Lite and the SIG Core). The SIG Manager gives users the ability to easily create customized assessments based on regulation or risk domain. (SIG Lite, SIG Core, regulations and risk domains are described in more detail later in this post.)

The SIG Manager automates the creation and analysis of SIG responses, allowing users to maintain SIG data. This brings efficiency to the assessment process.

Risk Domains In 2025 SIG Questionnaire

Risk domains are focus areas that guide Third-Party Risk Management (TPRM) programs.

Risk domains are used to scope questionnaires or to frame controls that should be evaluated during a third-party risk assessment. The SIG includes 21 of the most current and critical risk domains and corresponding controls within 4 key control areas including Governance & Risk Management, Information Protection, IT Operations & Business Resilience, and Security Incident & Threat Management.

For a detailed review of the 21 risk domains covered by the SIG, see our Guide To Risk Domains.

Regulatory Updates To 2025 SIG Questionnaire

This year brings the addition of significant frameworks to the SIG. These frameworks include Digital Operations Resilience Act (DORA), Network and Information Security Directive 2 (NIS2), and NIST Cybersecurity Framework (CSF) 2.0 (NIST 2.0). By incorporating these frameworks, the SIG offers enhanced assessment of vendor cybersecurity and, by extension, supports your organizational resilience.  Identify areas of concern in your third parties’ security profiles with SIG’s new mappings to:

• DORA, an EU-wide regulation aiming to improve financial sector’s resilience to cyber and infosec threats
• NIS2, an EU-wide legislation on providing legal measures to boost overall level of cybersecurity
• NIST 2.0, a set of guidelines and best practices to help organizations reduce cyber risk
• And many, many more regulations, guidelines, and standards – full list here

Functionality Updates To 2025 SIG Questionnaire

The 2025 SIG is replete with functionality updates recommended by Shared Assessments SIG users themselves.

Practitioners can now organize their workspaces with both minimizable sheets, questions, and tabs, and customizable spaces within questionnaires allowing for additional artifact requests or notes.

Shared Assessments has added efficacy to the custom scoping process in the 2025 SIG. When mapping references are selected by a user, a validation step prevents users from saving a template that has too many mappings selected, or no depth specified.

“The SIG gives us a standard approach and coverage which has been instrumental in providing the foundation for a robust third-party information security and business resilience assessment program and assess risks associated on behalf of our business partners.”

-New York Life

Question Count In 2025 SIG Questionnaire

We offer two versions of the SIG Questionnaire, which should be employed based on the level of assessment a vendor needs. These versions are the SIG Core and the SIG Lite. The primary differences are their length and the depth (or scope) of information they cover.

The SIG Lite Questionnaire provides a broad higher-level understanding of a third party’s internal information security controls. The SIG Lite is for vendors that need basic levels of assessment due diligence. It can also be used as a preliminary assessment before a more detailed review. The SIG Lite 2025 has 128 questions.

The SIG Core Questionnaire is meant to assess third parties that store or manage highly sensitive or regulated information, such as personal information or other sensitive data. The SIG Core provides a deeper level of understanding about how a third party secures information and services. The SIG Core 2025 has 627 questions.

The full SIG – also called the SIG Detail – has 1936 Questions. You can generate SIGs based on scope (as in the Lite and the Core), regulation, control family or risk domain.

See The 2025 SIG Questionnaire

The risk management future is now and it’s time to move on up to updated mappings and improved functionality in the 2025 SIG! Request your personalized demo here.

Or, join me for a deeper dive into updates in the 2025 SIG in my upcoming demo session Rise Above Risk: The 2025 SIG on November 7, 2024 from 11:00am – 11:30am ET – register here.

The post What’s New in the 2025 SIG Update appeared first on Shared Assessments.

System and Organization Controls reports, or SOC reports, are a framework to help companies gain trust in their vendors’ services or products through an examination of their delivery, business processes, and controls.

Organizations should seek SOC report assurance from vendors or service providers if they transact on your organization’s behalf, process or store your organization’s data, or process or store your client’s data.

SOC reports, developed by the American Institute of Certified Public Accountants (AICPA), deliver an understanding of a vendor’s entire system of information covering a variety of areas including security, availability, processing integrity, confidentiality, privacy, financial reporting and cybersecurity. These reports are a key component of service organization control, ensuring compliance with standards like the AICPA’s Trust Services Criteria and the COSO framework. There are three main types of SOC reports:

• SOC 1: Focuses on financial reporting controls and IT controls related to accuracy.
• SOC 2: Focuses on operational controls often used in Third-Party Risk Management (TPRM) and provides detailed insights into a service organization’s internal controls.
• SOC 3: A public version of SOC 2 used for broader audiences.

SOC Reports are important for risk management because they help organizations identify and address potential risks, vulnerabilities, and flaws in their vendor’s processes and controls. Reviewing a vendor’s SOC report can help your organization identify risks and implement controls to mitigate risks.

Shared Assessments’ Products complement SOC reports by providing a strong vendor security assurance package when used together. Shared Assessments views SOC reports as pairing well with its Standardized Control Assessment (SCA) Procedure Tools, which provide risk professionals with a set of resources (solutions, templates, checklists, guidelines) that can be used to plan, scope, and perform third-party risk assessments

Types of SOC Reports

There are three prevailing types of SOC reports: SOC 1, SOC 2, and SOC 3. SOC 1 is focused on financial reporting. SOC 2 is focused on security, availability, processing integrity, confidentiality, and privacy. SOC 3 is focused on similar reporting areas as the SOC 2 but is less comprehensive. SOC for Cybersecurity reports on an organizations’ enterprise-wide cybersecurity risk management program.

SOC 1 Report

A SOC 1 report is an audit that evaluates the design of controls at a service organization at a specific point in time. SOC 1 reports are used to assess the internal controls of service organizations that handle financial information for their clients, and how those controls may impact the clients’ financial reporting. SOC 1 reports help companies communicate their risk management and controls framework to stakeholders. These reports are crucial for both user entities and their auditors, as they provide insights into the impact of the service organization’s controls on the user entities’ financial statements.

SOC 2 Report

A SOC 2 report focuses assessing service organizations with the operational controls often used in TPRM. SOC 2 reports focus on the operational risks of outsourcing to third parties outside financial reporting. SOC 2 reports can help mitigate the risk of data breaches and financial losses by confirming adherence to best practices. (SOC 2 reports work well with Shared Assessments’ Standardized Control Assessment (SCA) Tools. The SCA can be used to provide clients with an independently assessed review of critical controls, often at a lower cost than a SOC 2 report. The SCA can be used as an addendum to or a replacement for a SOC 2 certification.)

SOC 3 Report

A SOC 3 report is essentially a public version of SOC 2, used for broader audiences. SOC 3 is a public document that assesses an organization’s internal controls for security, availability, processing integrity, and confidentiality. It’s based on the American Institute of Certified Public Accountants’ (AICPA) Trust Services Criteria (TSC). SOC 3 reports can help a service organization demonstrate their commitment to security and availability standards.

Distinguishing Between Type I and Type II SOC Reports

SOC I and SOC II reports can be issued as a Type I or Type II report. A Type I report details an organization’s controls at a single-point in time, including a management description of a service organization’s system, and is considered to be a snapshot of the control environment. A Type II report examines how effectively implemented controls operate over a set period (typically 6 or 12 months) and is considered as the more comprehensive version of reporting. Most TPRM programs prefer a SOC II for TPR assessment purposes because the audit period indicates continuous evaluation of controls.

Benefits of SOC Reports in Risk Management

SOC reports benefit organizations in many ways, including building trust, improving efficiency, ensuring regulatory compliance, mitigating risk, and demonstrating commitment to security standards.

SOC reports verify an organization’s internal controls (a collection of safeguards and procedures) by evaluating the design of controls at a specific point in time and by testing the controls’ operating effectiveness over a period, often selecting samples and reviewing evidence over a period of six months to one year.

A SOC report lists the controls, the tests performed, and the results of the tests. If a control meets all the test requirements, the results will indicate no exceptions. If a control doesn’t meet all the requirements, the results will indicate an exception, along with a summary of what failed and why.

SOC reports often have findings and issues, including how risks were mitigated or remediated. The organization should review these to determine how they impact the organization.

As a service provider, SOC reports build trust and transparency with clients by demonstrating verified controls. As an outsourcer, SOC reports help with risk mitigation by helping your organization to identify and manage third-party risks effectively. SOC reports also help with vendor compliance as they ensure adherence to regulatory standards through verified assessments.

SOC Reports and Shared Assessments’ Tools

Shared Assessments’ Standardized Control Assessment (SCA) Procedure Tools can strengthen security assessments when SOC reports lack third-party risk modules by providing a way to verify the accuracy of a third-party risk assessment. Taking an integrated approach and combining SOC 2 Type II reports with SCA tools offers a robust security assurance package for vendor management.

Shared Assessments supports a “trust but verify” approach by providing standardized tools like the Standardized Information Gathering (SIG) Questionnaire, which acts as the “trust” component, allowing initial self-assessment by vendors, while the Standardized Control Assessment (SCA) acts as the “verify” component, enabling further due diligence through on-site or virtual assessments to validate the information provided in the SIG questionnaire. This combination of tools and sequence of steps allows organizations to initially trust vendor claims but then verify those claims through additional scrutiny.

Discover how Shared Assessments’ Standardized Control Assessment Procedure Tools work alongside SOC reports to provide comprehensive security assurance for your vendors. Connect with us for a consultation to help you improve your risk management strategy.

How to Choose the Right SOC Report

The type of SOC report that’s best for an organization depends on its specific control objectives and needs. It also depends on if you are a service provider or an outsourcer.

A SOC 1 Report is the simplest form of SOC report and delivers point-in-time testing to illustrate the design of controls as of a specific date. There is no further testing or proving outside of the initial test to confirm the description or design of the controls. A SOC 1 Report works best if a service organization or vendor needs to return a report to a prospect or client quickly to evidence controls being in place. Think of it as a schematic or general impression to use when in a pinch.

A SOC 2 Report looks at the same design of controls and tests the operating effectiveness of the controls over a period of six months as a rule of thumb. (Best practice is to have SOC 2 cover 12 months and then have an annual SOC 2 thereafter to report on continual coverage of controls.) A SOC 2 report is a better and more thorough practice than the SOC 1 as it offers more context on controls and how they are working – richer data gives a more accurate picture.

Finally, A SOC 3 report is essentially a public version of SOC 2, used for broader audiences in a marketing context. A SOC 3 is a badge of controls courage or a virtue signal for vendors. When you want to demonstrate that you meet regulatory and compliance requirements or simplify vendor management, wave the SOC 3 flag.

Frequently Asked Questions About Service Organization Controls (SOC) Reports

Is a SOC Report Mandatory?

SOC reports are not legally required for any organization. However, they can be important for building customer trust and confidence. Some customers may expect to see a SOC report before doing business with you, and you might expect to see one from your partners before doing business with them. It is not uncommon to have a SOC report required on an annual basis as a term or condition of doing business.

Who Should Get a SOC Report?

Organizations that provide services or software that may impact a client’s financial reporting or sensitive data may be required to have a System and Organization Controls (SOC) report. This includes financial service, healthcare, data centers, software as a service (SaaS), web hosting and cloud storage.

How Do I Know If I Need a SOC Report?

Your service organizations that process, store, or impact sensitive or financial data for your organization may need a SOC report. These organizations include:

• Financial services: payroll, loan servicers, and investment advisors
• Healthcare: electronic medical record (EMR) providers and healthcare data processors
• Data centers: including cloud service providers and host data centers
• Software-as-a-service (SaaS) providers
• Other service providers: web hosting, accountants, money managers, marketing agencies, and staffing firms

Does Every Company Have a SOC Report?

Not every company has a SOC Report. No governing authority requires SOC audits. Industries with low regulation rarely require SOC reports, but companies in these industries still benefit from conducting SOC assessments as some clients require a SOC report as a condition of doing business.

Who Prepares SOC Reports?

SOC reports are typically created and validated by third-party auditors. A Certified Public Accountant (CPA) from an American Institute of Certified Public Accountants (AICPA) accredited auditing firm may be responsible for preparing a SOC report. The CPA must perform the audit as an independent third party outside of the organization being audited.

What is the Most Common SOC Report?

The most common System and Organization Controls (SOC) report is the SOC 2 report. It’s especially popular with software-as-a-service (SaaS) companies that provide third-party services to customers who trust them with sensitive data. SOC 2 is flexible in how it evaluates security controls, and helps organizations show that their internal controls protect customer data.

Is a SOC Report a Risk Assessment?

Yes, a SOC Report is a risk assessment that evaluates a company’s internal controls and risk management practices. A SOC 2 risk assessment can be a critical step in cybersecurity assessments. It helps organizations identify and manage risks to their systems, data, and vendors.

How Often Are SOC Reports Done?

The frequency of System and Organization Controls (SOC) reports depends on several factors, including client requirements, regulatory needs, and the type of SOC report. SOC 2 reports are typically conducted annually but can be done every six months depending on client preferences or concerns. SOC 2 audits should also be performed if there are major changes to information security.

The post What Is A SOC Report? appeared first on Shared Assessments.

In the coming weeks, Shared Assessments will release its 2025 Third-Party Risk Management (TPRM) Product Suite – and resilience is the word!

Artificial Intelligence (AI) has arrived and accelerated. 63% of organizations with more than $50 million in annual revenue characterize the implementation of AI as a high priority, yet 91% of these organizations do not feel prepared to do so in a responsible manner, a recent McKinsey survey shows.

Supply chains have spun out into complex webs of layered tiers. 43% percent of organizations have limited to no visibility of tier one supplier performance, a recent KPMG study brings forward.

Amid this spiraling complexity and technological advancement, resilience is the only antidote to risk. Regulators and standards agencies worldwide seem to agree; recently released frameworks including the Digital Operational Resilience Act (DORA), the Network and Information Systems Directive 2 (NIS2), and NIST Cybersecurity Framework (CSF) Version 2.0 all share a common goal of enhancing cybersecurity and operational resilience.

Our 2025 TPRM Product Suite has integrated these exceptional evolutions and nascent frameworks to offer a fine-tuned solution for every step of the TPRM Lifecycle:

“Our 2025 Product Release elevates user experience through improved usability within our solutions. We’ve remained true to our previously established risk domains while giving priority to our member and subscriber suggestions. Staying current with regulations and guidance, our 2025 TPRM Product Suite gives practitioners the ability to turn risk into readiness and resilience.”

Kelcey Reed, SVP, Technology and Products

Third Party Risk Management Product Suite Introduction

In a rapidly evolving regulatory and risk environment, Shared Assessments’ products incorporate industry standards and the collective intelligence of our diverse member base to keep third-party risk management programs current. From evaluating the maturity of your own risk management program to assessing your vendors, our products support you in managing vendor risk effectively and efficiently.

Our 2025 Product Suite is comprised of the Vendor Risk Management Maturity Model (VRMMM), Third-Party Service Inherent Risk Rating (TPSIRR), Standardized Information Gathering Questionnaire (SIG), Standardized Control Assessment Procedure (SCA), Data Governance Products, and Environmental Social and Governance Standardized Information Gathering Questionnaire (ESG SIG).

Vendor Risk Management Maturity Model (VRMMM)

The VRMMM gives you a blueprint for maturing your program TPRM program by benchmarking against best practices. Our recently released Interagency Guidance (IAG) Gap Analysis maps to questions in the VRMMM. As you identify new requirements and self-assess your organization’s compliance with the IAG Guidance, make a roadmap for maturing your risk management program with the combination of tools.

Learn more about the VRMMM here. 

Third-Party Service Inherent Risk Rating (TPSIRR)

The TPSIRR prepares you for due diligence by determining your vendors’ Inherent Risk Rating (IRR). We’ve added Custom Data Classification definitions and examples and introduced greater clarity, better weighting, more customizability and actionability to the forthcoming 2025 TPSIRR.

Learn more about the TPSIRR here. 

Standardized Information Gathering Questionnaire (SIG)

The SIG assesses and analyzes vendor risk efficiently and demonstrates your organization’s risk posture through an industry-standard questionnaire. This 2025 release brings DORA, NIS2, and NIST 2.0 regulatory mappings to the SIG to ensure cybersecurity readiness and resilience across your vendor network.

Learn more about the SIG here. 

Standardized Control Assessment Procedures (SCA)

The SCA verifies vendor compliance through validation of third-party controls. The 2025 SCA includes DORA, NIS2, and NIST 2.0 control attributes. 

Learn more about SCA here. 

Data Governance Products

The Data Governance Products address specific data protection obligations through management of vendor data inventories and due diligence tracking.

Learn more about our Data Governance Products here. 

Environmental Social and Governance Standardized Information Gathering Questionnaire (ESG SIG)

ESG SIG streamlines regulatory compliance through focused assessments of vendor ESG Risk.

Learn more about our ESG SIG here. 

Product Release 2025 Launch Events

Throughout the fall, we will be hosting sessions to highlight new features and functionality in this release. Join us for some or all of our upcoming Product Release 2025 events!

Demo: Move On Up: Overview Of The 2025 TPRM Product Suite October 31, 2024 | 11:00am-11:30am ET Register

Demo: Rise Above Risk: The 2025 SIG November 7, 2024 | 11:00am – 11:30am ET Register

Member Forum Call: Product Release 2025 Review  November 12, 2024 | 11:00am-12:00pm ET Register

Demo: A Roadmap For Maturity: The 2025 VRMMM November 13, 2024 | 11:00am – 11:30am ET Register

International Live Demo: Product Release 2025 November 20, 2024 | 10:00am-11:00am GMT +1/SST Register

Demo: The Due Diligence Dance: Determine Inherent Risk First November 21, 2024 | 11:00am – 11:30am ET Register

TPRM Trifecta: TPSIRR -> SIG -> SCA December 5, 2024 | 11:00am – 11:30am ET Register

The post Move On Up: Rise Above Risk With Resilience appeared first on Shared Assessments.

To monitor across the supply chain, organizations should gauge related risks. Considerations around risks impacting the ability of outsourcers operating in different industries and jurisdictions to deliver their goods and services must be mapped, managed, and mitigated. That analysis will include:

• Due diligence information gathering that includes processes for compiling, analyzing, and monitoring interdependencies posed by third, fourth, and Nth parties.
• Concentration risk.
• Single-source tangible product materials and parts.
• Digital ecosystem components that may be difficult or impossible to replace.
• Regulatory requirements for outsourcers to identify issues and work to correct certain types of shortcomings throughout their supply chains.^[1]

Risk managers have been actively building solutions as they attempt to assess preparedness internally and externally across supply chains. This paper provides best practices and related step-function improvements in strategy and techniques for controls and monitoring that organizations can employ. The paper also provides a professional’s takeaway detailing risk areas, control objectives, and best practice considerations for context, operational resilience, communications and incident response, assessments, and monitoring.

This resource, the third in the Shared Assessments Global TPRM Best Practices Committee’s 2024 paper series, represents the work of the project team of SMEs who stepped forward to update this guide. The best practice solutions that have evolved over the past two decades are brought together and refined by this group, which last year focused on ransomware preparedness, reputational risk, and onsite assessment best practices. The Global TPRM Best Practices Committee, open to members and non-members, currently has more than 260 registered individuals from 185 organizations spanning 15 time zones.

If you would like to join, we’d love to have you. You can learn about our other committees here.

The full paper can be downloaded here.

[1] Corporate Sustainability Due Diligence Directive. 2024. 

The post Supply Chain Risk Management: Guiding Robust Third & Nth Party Governance appeared first on Shared Assessments.

This new and promising partnership between Shared Assessments and the Charter of Trust is a natural fit as both organizations are devoted to working to create a more secure and resilient digital world through collaboration and information sharing.

“We are delighted to welcome Shared Assessments to the Charter of Trust as an Associated Partner. Their commitment to advancing third-party risk assurance and their dedication to fostering a more secure digital world align perfectly with our mission. By joining our collaborative network, Shared Assessments brings valuable expertise and a shared vision that will undoubtedly enhance our collective efforts to protect data, prevent harm, and build trust in the digital economy. Together, we look forward to pioneering new best practices that will contribute to a more resilient and secure digital future for all.”

Natalia Oropeza, Chairwoman, Charter of Trust

Charter Of Trust

Through its network, Charter of Trust aims to accomplish three important objectives:

• Protect the data of individuals and companies
• Prevent damage to people, companies and infrastructures
• Create a reliable foundation on which confidence in a networked, digital world can take root and grow

Associated Partners Forum (APF)

The Associated Partner Forum (APF) brings together regulators, research institutes, universities, and think tanks with the Charter of Trust’s industry partners. Together, the APF builds a trusted network committed to creating a strong digital security environment across the global economy.

The APF provides an effective setting to discuss best practices for implementing the Charter’s Principles, to assess cyber trends and developments, and to work together on specific Charter of Trust projects. Shared Assessments is looking forward to collaborating with these preeminent international partners on the Charter of Trust’s APF:

• Federal Office For Information Security (Germany)
• Centre for Cyber Security (Canada)
• CEBRI (Brazil)
• El Centro Criptológico Nacional (CCN) del Centro Nacional de Inteligencia (CNI) (Spain)
• CERT-In (India)
• Cloud Security Alliance (USA)
• Coalition to Reduce Cyber Risk (CR2)
• CSIR (South Africa)
• Cyber Readiness Institute (USA)
• Cyber Peace Institute (Switzerland)
• Global Cyber Alliance (USA, UK, Belgium)
• Hasso Plattner Institute (Germany)
• Ministry of Economy, Trade, and Industry (Japan)
• Technológico De Monterrey (Mexico)
• Graz University of Technology (Austria)
• The Ministry of Internal Affairs and Communications (Japan)

“Shared Assessments is excited and honoured to join the Charter of Trust community of cybersecurity leaders and practitioners, and we are committed to working with the organisation to improve the resilience and risk posture of their membership and their associated suppliers. Since its founding in 2018, the Charter of Trust has promoted continuous improvement in the standard of care for cybersecurity risk management. At Shared Assessments, we are fully aligned with the Charter’s vision, including the organisation’s 10 Principles and the philosophy that cybersecurity ‘is everyone’s task.”

 Andrew Moyad, CEO, Shared Assessments

About Shared Assessments

In our global economy where third-party services are essential, Shared Assessments is at the forefront of providing thought leadership, standards, and education to drive third-party risk assurance. Through collaboration and the development of standardized tools, Shared Assessments has become a central hub for organizations seeking to navigate this complex area effectively. Third-party risk management is a relationship business. Our greater community is essential to what we do. Our focus continues to be working together to create a more secure and resilient world – our partnership with the Charter of Trust furthers this vision.

The post Shared Assessments Joins The Charter Of Trust appeared first on Shared Assessments.

DORA’s Focus on Resilience Keynote

In her keynote address, Sophia Corsetti (Manager, Process Unity) highlighted how DORA addresses systemic risk by improving third-party resilience, emphasizing that disruptions in critical suppliers can impact entire organizations and sectors. In summary:

A Solid TPRM Foundation Is Crucial: A solid TPRM foundation is essential for successful DORA compliance, noting that many organizations are struggling to align their TPRM programs with DORA’s requirements.

Key Components of DORA: Supply chain management, incident tracking and reporting, pre-contract due diligence, and subcontractor risk are all central to building a resilient third-party ecosystem.

Inherent Risk and Prioritization: Prioritizing suppliers based on inherent risk levels to streamline assessments and reduce vendor fatigue is necessary, as is leveraging AI for risk calculations to improve accuracy and efficiency.

Best Practices for DORA Compliance: Best practices like using data-driven approaches, automating risk management processes, and communicating expectations clearly with third parties to ensure alignment with DORA’s requirements.

AI’s Role in TPRM Panel

This panel emphasized that AI can enhance third-party risk management (TPRM) by automating data analysis, reducing cycle times, and identifying patterns or red flags from continuous monitoring, thus allowing teams to focus on strategic risk areas. Other takeaways included:

Human Expertise Still Essential: While AI offers significant potential, it cannot replace human judgment. AI should be viewed as a tool that complements professional expertise rather than a substitute for human oversight.

Risks and Limitations of AI: There are inherent risks associated with AI, especially in handling large, complex data sets. Panelists warned of “black box” scenarios where AI processes are not fully transparent, stressing the importance of maintaining control and oversight in AI implementations.

Building a Business Case for AI: The benefits of AI in TPRM include scalability, precision, and improved efficiency, allowing organizations to cover more third parties with fewer resources. However, organizations must clearly define pain points and ensure AI solutions align with those needs before implementation.

Contracting and Oversight: When contracting with AI solution providers, organizations must ensure transparency regarding AI usage, subcontractors, and data handling. Contracts should future-proof against potential AI risks, including the vendor’s use of client data for model training and potential regulatory requirements.

Panelists: Chris Johnson (Senior Advisor, Shared Assessments), Andy Sparry (Lead for Security Third Party Risk Management, Meta), Benjamin Ross (Managing Partner UK, Bortstein Legal Group), Daniela De Almeida Lourenço (CISO, Financial Services), Tomer Roizman (CTO & Co-Founder, Lema)

Complex Regulatory Landscape Panel

This session emphasized how the current regulatory environment is more complex than ever, with multiple frameworks such as DORA, NIS2, and the EU AI Act, creating challenges for organizations in third-party risk management (TPRM) to keep pace with these changes. The panelists also discussed:

Concentration Risk: Regulators are increasingly pushing organizations to assess and manage their dependencies on critical third parties. This includes mapping subcontractors and understanding their role in the supply chain.

Data is Key for Compliance: Gathering and maintaining accurate, comprehensive data on third-party vendors is crucial for complying with DORA and other regulations. (Several panelists stressed the importance of centralizing data and ensuring it is regularly updated to avoid bottlenecks in regulatory compliance.)

Proportionality and Prioritization: The principle of proportionality is embedded in regulations, meaning organizations should focus on their most critical vendors first rather than applying the same standards to all vendors. This pragmatic approach helps prevent overwhelming resources and ensures that the most significant risks are addressed.

Standardization and Global Alignment: There is a need for standardization in regulatory frameworks, particularly across different regions. While challenges remain, there is increasing alignment among regulatory bodies worldwide, making it possible for organizations to adopt common standards and frameworks to streamline compliance efforts.

Panelists: Andrew Moyad (CEO, Shared Assessments), James Humphrey-Evans, (Partner, Bortstein Legal Group), Chika Okoli (GRC Consultant, Mitratech), Detlef Houdeau (Senior Director, Business Development, Infineon Technologies AG), Sean O’Brien, (Managing Director, DVV Solutions)

Critical Third Parties Panel

This panel suggested that the definition of Critical Third Parties (CTPs) is evolving. Initially, CTPs were viewed purely from a firm’s internal perspective—what was most critical to that organization. The focus was on whether the third party could directly disrupt the business if it failed. The definition of CTPs has evolved with regulatory changes. Now, CTPs are seen from an external viewpoint—how critical they are to the market, customers, and overall systemic risk. Regulators are increasingly emphasizing the broader impact of CTPs on markets and services. Discussion around CTPs encompassed:

Geopolitical and Jurisdictional Considerations: Organizations need to consider the geographic concentration of their third parties, as political, environmental, or regional issues could disrupt services. The panel emphasized understanding not only the criticality of third parties to the organization but also their broader market impact and how geopolitical factors might affect their operations. Mapping supply chains, including fourth-party risks, is essential to ensure business continuity across global markets.

Partnership vs. Contractual Relationship: The panel stressed the importance of moving beyond contractual obligations toward partnerships with CTPs. This means developing a deeper relationship that allows better oversight and proactive communication, particularly when issues arise. Understanding where the organization falls on a vendor’s priority list is crucial during disruptions.

Metrics for Evaluating CTPs: Key metrics to assess CTPs include their Recovery Time Objective (RTO), the impact of a disruption on critical business functions, and how substitutable that third party is. The group also highlighted the importance of understanding a CTP’s supply chain and their resilience in the event of broader market issues.

AI and IT Automation’s Role: The panel discussed how AI and automation will change the landscape of third-party risk management. As more CTPs use AI, organizations must ensure these third parties understand the implications of using AI. AI can support decision-making by offering insights based on past data, helping organizations assess risk more efficiently.

Integrating People, Process, Technology, and Data: Beyond traditional TPRM processes, there’s a need to integrate technology and data analytics to monitor CTPs effectively. Understanding the competency of people working at CTPs, assessing the underlying technologies they use, and gathering comprehensive data can offer a fuller picture of their risk profile.

Two primary takeaways were emphasized: first, organizations must establish partnerships with their CTPs rather than rely solely on contracts. Second, it’s important to understand the supply chain behind CTPs to fully assess risks, including how CTPs prioritize service recovery during disruptions.

Panelists: Elizabeth Dunsmoor (TPRM Principal, Shared Assessments), Martin Freeman (Cybersecurity and Compliance Managing Director, Calastone), Rosalyn Aryee, (Head of Outsourcing & TPRM and Operational Resilience, Santander), Shriparna Ghosh, (Director, Cyber Security – Consulting – EMEIA Financial Service, EY), Matt Moog (General Manager, Third-Party Risk, OneTrust)

Tech Adoption Roadmap Breakout Session

This session focused on helping participants develop a practical, actionable tech adoption roadmap for their organizations. Deloitte used a highly interactive and fun discussion format, supported by a maturity model and participant polling, to identify key areas of opportunity and challenges. Attendees left with clear, tailored insights and tangible next steps they can apply to their TPRM programs.

Speakers: Dr. Sanjoy Sen (Head of Research & Eminence – Extended Enterprise, Deloitte), Stephen Cordon (Senior Manager, Deloitte)

Vendor Risk Management Hot Seat Breakout Session

 Participants were immersed in a fast-paced, interactive environment where they tackled real-world vendor risk scenarios. Through rapid questioning and problem-solving, participants were challenged to think critically and adapt to evolving risks as they would in their own organizations. For DORA-regulated entities, this session offered essential guidance to achieve compliance before the January 2025 deadline.

Speakers: Constantine Malaxos (Vice President, Strategic Alliances, ProcessUnity), Sophia Corsetti (Manager, ProcessUnity)

With Gratitude For Our Sponsors, Speakers, and Friends

As we celebrate the end of an exciting and excellent first UK TPRM Summit, we would like to acknowledge our sponsors. Their support made this event’s exceptional content and dynamic speakers possible. Thank you to OneTrust, Process Unity, and DVV Solutions (Carbon Offset Sponsor) for their generous underwriting of this event. Thank you to our speakers for their time and focus and to all our risk management friends who traveled from near and far to make this UK Summit a absolute success.

The post First-Ever Third-Party Risk Management UK Summit 2024: Signed, Sealed, Delivered appeared first on Shared Assessments.

Our AI & Emerging Technology Committee mobilized to address the global risk management challenges (and opportunities) and introduced AI in our latest whitepaper, AI & Third-Party Risk Management: Balancing Innovation, Risk & Opportunity.

This comprehensive white paper delves into the evolving best practices for AI governance in TPRM, providing a detailed roadmap for leveraging AI to enhance risk management while addressing its unique challenges. With insights drawn from leading industry experts, this document is an indispensable resource for any organization looking to navigate the complexities of AI integration in TPRM.

This white paper delivers essential insights into:

Current And Evolving Best Practices For AI Governance In TPRM

Discover the latest strategies and frameworks that organizations can adopt to effectively manage AI risks within their supply chains. Learn how AI governance structures are evolving in response to the rapid growth of AI technology. This section outlines the critical components of a robust AI governance framework, including compliance, ethical considerations, and continuous monitoring.

How AI Can Augment TPRM Processes And Improve Risk Management

Explore how AI technologies can streamline risk management tasks, improve decision-making, and enhance visibility into third-party and Nth-party risks. This section delves into AI’s potential to automate vendor oversight and improve overall program efficiency. You’ll gain a deeper understanding of how AI-driven analytics and machine learning can provide real-time insights and predictive capabilities, transforming the way you manage risks.

Practical Strategies For Addressing AI-Related Risks, Including Transparency, Security, And Fairness

Learn about the specific challenges posed by AI, such as bias, data privacy, and security vulnerabilities. The paper provides actionable advice on implementing governance measures that ensure AI use remains transparent, fair, and secure throughout the supply chain. Real-world case studies illustrate how leading organizations are tackling these issues head-on and setting new standards for responsible AI use.

Key Recommendations For Executives And Practitioners On Building Resilient AI-Enabled TPRM Frameworks

Gain insights into how organizations can establish AI governance frameworks that balance innovation with risk management. Recommendations cover building cross-functional teams, integrating AI into existing risk management structures, and addressing the long-term implications of AI adoption. This section highlights the importance of fostering a culture of continuous learning and adaptability to keep pace with technological advancements.

This resource represents the work of the Shared Assessments AI & Emerging Technology Committee and a dedicated team of subject matter experts. It aims to equip organizations with the knowledge and tools needed to responsibly integrate AI into their TPRM programs, ensuring they remain competitive while safeguarding against emerging risks. By implementing the strategies and recommendations outlined in this white paper, your organization can confidently navigate the complexities of AI in TPRM and build a more resilient, future-ready risk management framework.

Download the full paper here.

The post AI & Third-Party Risk Management: Balancing Innovation, Risk & Opportunity appeared first on Shared Assessments.

The Building & Maturing TPRM Programs table included in this resource provides guidance on incorporating continuous monitoring into organizations and programs of varying levels of size, resourcing, and maturity. Monitoring types include: Infrastructure & Application Monitoring; Geolocation Risk Monitoring; and Incident Response Monitoring.

This paper provides insight into:

• What continuous monitoring is.
• Why continuous monitoring is useful and its benefits in the TPRM context.
• How to stand up a TPRM-focused continuous monitoring program.
• How to leverage existing resources to best advantage and build maturity.
• What to monitor and how to go about managing continuous monitoring data.

Continuous monitoring helps improve risk management and supports operational resilience by providing insight into inbound and outbound supply chains for both services and tangible goods. Focusing continuous monitoring on Nth party and location risks serves as a practical and efficient risk early warning system.

This resource represents the work of the Shared Assessments Global TPRM Best Practices Committee and project team of SMEs who stepped forward to update this guide. The best practice solutions that have evolved over the past two decades are brought together and refined by this group, which last year focused on ransomware preparedness, reputational risk, and onsite assessment best practices. The Global TPRM Best Practices Committee, open to members and non-members, currently has more than 260 registered individuals from 185 organizations spanning 15 time zones. If you would like to join, we’d love to have you. You can learn about our other committees at https://sharedassessments.org/committees/.

The full paper and Practitioner Guide are available for download here.

The post Third & Nth Party Continuous Monitoring: Standing Up An Effective Program appeared first on Shared Assessments.