Press release

Shared Assessments Announces Third Party Risk Management (TPRM) Framework to Offer Guidance for Organizations Seeking to Create, Improve and Manage Third Party IT Security Risk

Sponsored by Businesswire

The Shared
Assessments Program
, the member-driven leader in third party risk
assurance, today announced a new Third
Party Risk Management (TPRM) Framework
designed to help
organizations of all sizes effectively build, improve and execute best
practices in today’s fast changing third party risk environment. The
first two modules, the Framework Introduction and a module focused on
Risk Management Basics, are available to members on the Shared
Assessments website (

As the practice of Third Party Risk Management has evolved, it has
become increasingly evident that a fully developed TPRM framework could
provide valuable assistance to organizations working to improve
outsourcing oversight processes.

Shared Assessments has addressed the need for more detailed guidance by
creating the Program’s TPRM Framework, which was developed with the
collective intelligence of the Shared Assessments’ membership, a global
community of experienced third party risk management practitioners in a
broad array of industries. Framework content is designed to be useful
for board members, C-level executives and both beginning and advanced

“There has been a significant increase in third party-related
vulnerabilities in recent years, which has in turn resulted in increased
demand for Shared Assessments Program resources, so the development of
the TPRM Framework is needed now more than ever,” said Shared
Assessments Chairman and CEO Catherine A. Allen. “Increasing third party
risks, together with new and changing regulatory mandates, require a new
approach for providing the knowledge and practical skills necessary to
help organizations more effectively manage third party risk. The new
TPRM Framework represents a critical and effective step forward to help
organizations move toward best risk management practices.”

TPRM has emerged as an important practice area within organizational
risk management programs where annual
benchmarking research
indicates only 40 percent of all organizations
have fully mature TPRM programs (The Santa Fe Group, Shared Assessments
Program and Protiviti, Inc., 2019). The TPRM Framework encompasses all
aspects of operational risk, including information security.

Gary Roboff, Senior Advisor at The Santa Fe Group, and the lead on the
development of the Framework, noted, “The TPRM Framework is designed to
provide guidance for organizations seeking to develop, optimize and
manage Third Party Risk best practices. The Framework also provides
guidance about how to implement meaningful incremental improvements in
TPRM practice maturity in organizations where resources may be
constrained. Resource allocation is a significant obstacle for almost
every organization in the current environment.”

Third Party Risk Management Basics Module

For practitioners, TPRM Risk Basics introduces the importance of a
robust program governance and tactics to drive a strong
organization-wide risk culture to earn senior management approvals for
resources. Additionally, TPRM Risk Basics features a short primer that
examines concepts including:

  • Inherent and residual risk
  • Risk appetite statements and frameworks
  • Risk tolerance metrics and other foundational elements
  • Program prerequisites and process factors to be considered when
    building an organization’s TPRM program, including factors relevant to
    making a decision about whether or not to outsource a specific
    business function or activity

To download a copy of the Shared Assessments TPRM Framework, go to

About the Shared Assessments Program

As the only organization that has uniquely positioned and developed
standardized resources to bring efficiencies to the market for more than
a decade, the Shared Assessments Program has become the trusted source
in third party risk assurance. Shared Assessments offers opportunities
for members to address global risk management challenges through
committees, awareness groups, interest groups and special projects. Join
the dialog
with peer companies and learn how you can optimize your
compliance programs while building a better understanding of what it
takes to create a more risk-sensitive environment in your organization.

For more information, go to