May 2014 Newsletter
This Month's Focus: 
2014 Vendor Risk Management Benchmark Study 

 Shared Assessments Survey Reveals Gaps in Third-Party Risk Management Practices

Shared Assessments and global consulting firm Protiviti's, recent benchmarking survey on the state of organizations' third party vendor risk management programs revealed the need for improvements in the components of most company's third party risk programs. The top findings of the 2014 Vendor Risk Management Benchmark Study reveal that current third party risk management practices cross industry, especially in insurance and healthcare, are vulnerable and lacking in governance, policies, standards, and procedures; improvement is needed. The study is available for download at


Other key findings: while financial services programs outperform other industries; vendor assessment procedures are lack luster, and staff tends to be undertrained and lacking in necessary resources.


Third party risks are top of mind. We already know that outsourcing and partnering with third party vendors greatly increase organizations' data and security risks and vulnerabilities. The challenge for organizations is how to manage data, privacy and security risks when the risks for these issues lie outside of their immediate control.

To learn more Click here to read the article A Look at the Maturity of Vendor Risk Management.
Current Shared Assessments Press Releases 
Listen to the Podcast
Shared Assessments Program Chair, Brad Keller and Shared Assessments Steering Committee member, Rocco Grillo, Managing Director, Protiviti, discuss How to Raise Your Companies VRM Maturity Level

Register for June 3, 2014 Webinar
Join us on Tuesday, June 3 at 1pm ET/10am PT, for our Vendor Risk Management Benchmark Survey results discussion with experts from Shared Assessments and Protiviti.  They will reveal the maturity level of VRM programs across industries and company sizes. Learn more and register


The Shared Assessments Vendor Risk Management Maturity Model (VRMMM) 2014 

Using governance as the foundational element, the Vendor Risk Management Maturity Model (VRMMM) identifies the framework elements critical to a successful program. High-level components are broken down into subcomponents in a manner that makes the model adaptable across a wide spectrum of industry groups.


The VRMMM is free to members and for purchase to non-members. To learn more about the VRMMM visit 



Hear from Shared Assessments Members at these upcoming events:
Shared Assessments Program Director Brad Keller:
  • Mortgage Bankers Association - June 5, 2014
    Dallas, TX  
    Learn more
Shared Assessments Steering Committee Member, Rocco Grillo, Managing Director, Protivi:
  • MIS Audit Leadership Institute - August 18-22, 2014
    Boston, MA Learn more
  • PCI Community Meeting-  September 9-11, 2014 
    Lake Buena Vista, FL  Learn more
Shared Assessments Program Vice-Chair, Jonathan Dambrot, Managing Director, Prevalent:
  • RVAsec 
    June 5 -6, 2014
    New York, NY   
    Learn more
Members Only
To highlight your upcoming events here, send your upcoming events to Kelly Wagner, Project Manager, The Santa Fe Group at
Commonly asked questions asked and answered


My team is in the process of refining our company's third party risk management program. Where should I focus most of my resources? Compliance? Assessment? 




A difficult question to answer without knowing more about the industry you are in and your company's appetite for risk in general. However, a good place to start is the Shared Assessments Vendor Risk management Maturity Model (VRMMM). The VRMMM takes a best practices approach by first identifying the eight major areas of a third party risk program. Those eight areas are then broken down into various components and sub-components, each of which may be adjusted to reflect your company's appetite for risk. It is important to note that each area of the VRMMM should be addressed in order by first laying the foundation necessary for a good program (i.e., governance, then policies/procedures, etc.) before moving on to other areas.


I would also advise that before you begin your effort you also use the VRMMM to evaluate the maturity of your current program. This will allow you to better identify the areas for improvement, and track your program's development over time. 




A Look at the Maturity of Vendor Risk Manageement
By Brad Keller,
SVP and Program Director, The Santa Fe Group and Rocco Grillo, Managing Director, Protiviti.

As the volume of outsourced products and services has surged in recent years, so, too, have the risks associated with vendors and third party providers. This is occurring in highly regulated industries such as financial services and healthcare; in media and retail, as seen in recent news; as well as in any organization that is relying on third party vendors to manage operations and processes. 

... Read more
Interested in Becoming a Shared Assessments Member?

Contact Julie Lebo, VP Member Relations, at
(703) 533-7256 or by Email
OCC Guidance 2013-29
Federal Reserve Guidance on Managing Outsourcing Risk
ISO/IEC 27001:2013
NIST: Framework for Improving Critical Infrastructure Cybersecurity
PCI 3.0 Presentation on Demand
Watch Shared Assessments Program Director, Brad Keller, The Santa Fe Group, Shared Assessments Vice-Chair, Jonathan Dambrot, Prevalent Networks, and Santa Fe Group Senior Consultant, Gary Roboff, discuss PCI 3.0 changes and what it means for retailers and providers.  

Future Topic Suggestions
Do you have a topic you'd like to see covered in an upcoming newsletter? 
Send your ideas to Kelly Wagner, Project Manager for Shared Assessments


Copyright � 2014. All Rights Reserved.