Third-party Risk Management


The Shared Assessments Program

Third-party risk management (TPRM) is the process of examining and managing risks associated with outsourcing to third-party vendors or service providers. This process could include access to an organization’s intellectual property, data, operations, finances, customer information, or other sensitive information. 

While third-party risk has historically been associated with the potential risks arising from financial institutions relying on outside parties to perform services on their behalf, it is much larger than that now. TPRM is an issue for every vertical market as the world becomes more dependant on outsourcing. 

As part of our RSA Conference coverage, Brilliance Security Magazine sat down with the executive team of The Santa Fe Group. We met with Catherine Allen, Chairman, David Perez, Chief Executive Officer, and Michael Jordan, Senior Director. 

The Santa Fe Group (SFG) is a strategic advisory company providing expertise to leading financial institutions, healthcare payers and providers, law firms, educational institutions, retailers, utilities, and other critical infrastructure organizations.

Our objective in meeting with SFG was to understand more about their renowned Shared Assessments Program. The Shared Assessments Program is a trusted source for third party risk management. They provide the industries they serve with resources, including tools and best practices, to manage the critical elements of the vendor risk management lifecycle.

Catherine Allen, Chairman at The Santa Fe Group
Catherine Allen, Chairman at The Santa Fe Group

To provide our conversation with context, Catherine offered, “About 15 years ago, the CEOs of the six largest banks and the big four accounting firms asked The Santa Fe Group to create a community of people dedicated to looking at third-party risk in the financial sector. At that time, banks were beginning to outsource more and more, and the recognized that regulation of risks associated with outsourcing was just over the horizon. These banks and accounting firms were looking to get ahead of the curve in managing third-party cybersecurity risk.”

Fast forward to today, she continued, “we are now a community of 306 corporate members. Members represent a collaborative, global, peer community of information security, privacy, and third-party risk management leaders. The Shared Assessments Program is run like a trade association; members work on various issues through working groups. The working groups are made up of a diverse group of experts. Not only do the members represent ethnic and gender diversity, but also a diversity of expertise such as privacy, security, compliance in a wide range of industries such as financial, utilities, retailers, and healthcare.” 

These Shared Assessments working groups help seed the content that goes into assessment tools that the member companies and others can use. These tools are designed to enable users to self-assess their risk as it relates to third-parties. They also provide educational webinars and have constructed a certification program for third-party risk professionals. 

The Certified Third-Party Risk Assessor (CTPRA) designation from the Shared Assessments Program validates knowledge within specific IT risk control domains that an individual will need to perform a thorough IT risk evaluation of a third party during an assessment.

Michael Jordan, Senior Director, The Santa Fe Group
Michael Jordan, Senior Director, The Santa Fe Group

Michael Jordan, Senior Director, The Santa Fe Group, pointed out that risk content or intelligence crowdsourced through Shared Assessments’ member companies, along with the assessment tools they create, are available to a wide range of customers. He explained, “This content and these assessment tools are available to companies outside of the Shared Assessments member companies.” He said, “tens of thousands of folks have used this content and these tools.”

Michael believes the uniqueness The Santa Fe Group offers “is the legacy of having done this for 15 years, and the content being informed by the expertise of the diverse collective membership.”

Catherine brought David Perez on as The Santa Fe Group’s CEO about two months ago so she could have more time to focus on her responsibilities as Chairman of the Board for SFG. She feels that she can be most effective in talking with directors and board members of large enterprises and helping them understand how third-party risk is an integral part of the enterprise’s overall risk. She is experienced in setting up risk committees and enjoys assisting other organizations in setting up their risk committees. She said, “In part, I help these directors and board members understand emerging trends in third-party risk, the risk associated with climate change, and geopolitical risk.”

David J. Perez, Chief Executive Officer, The Santa Fe Group
David J. Perez, Chief Executive Officer, The Santa Fe Group

David J. Perez, Chief Executive Officer, The Santa Fe Group, painted the picture by explaining, “Imagine a vendor that has a great product. They can’t do business with many potential customers until they’ve proven that they have security, privacy, resilience, or regulations, all under control. Imagine they have tens of thousands of customers. That means they have tens of thousands of assessment requests coming their way. How do they manage that kind of thing? The reason we have such a demand in the marketplace, from the vendors we sell to, to the service providers, is because they want one assessment to have to do. They do it once. They provide the information that has all of the things that people care about one time, and then every time they get a new request, they only need to send that information out to the potential customer.”

He continued, “If the vendor has additional questions they want to add to the assessment, they can. But it is more manageable when using one standard set of information, to begin with.”

The Shared Assessments Program Tools follow a two-step approach to managing third party risks. Using industry-established best practices, the Shared Assessments Program supports a “trust, but verify” approach to conducting third-party assessments. This approach enables users to fine-tune their third party risk management program according to their company’s strategy for managing risk.

The Shared Assessments Program:

  • Continuously monitors for new standards, regulations, and risk areas.
  • Accordingly updates the industry-leading third-party risk management Program Tools, which include the:
    • Standardized Information Gathering (SIG) questionnaire, used to perform an initial assessment of your vendors.
    • Shared Assessments Agreed Upon Procedures (AUP), a Tool for standardized onsite assessments.
    • Vendor Risk Management Maturity Model (VRMMM), a self-assessment tool used to determine the maturity of your own third party risk management program
  • Facilitates and shares the annual Vendor Risk Management Benchmark Study, in collaboration with global consulting firm Protiviti, to examine the maturity of organizations’ current risk management programs across multiple verticals.
  • Offers the only member-driven, collaborative organization creating dialogue around third party risk
  • Facilitates the Certified Third-Party Risk Professional (CTPRP) program – the only certification program solely focused on third-party risk management.
  • Created and facilitates the Collaborative Onsite Assessments Program, which ensures a robust and consistent evaluation of a vendor’s risk posture on standard, shared services.
  • Offers cutting-edge education and leadership opportunities through events, such as monthly Member Forum calls and the annual Shared Assessments Summit

Readers that wish to learn more about The Santa Fe Group’s Shared Assessment Program and get additional information here:  Shared Assessments Program.

Looking toward the horizon, David told BSM that SFG would soon be standing up an academy. This academy will provide education for risk professionals to help them excel in their jobs and to become CTPRA certified.


Steven Bowcut, CPP, PSP is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Facebook, Instagram, and LinkedIn.