Blogpost

A Roadmap For Maturity: Revving Up Risk Management

Vendor Risk Management Maturity Model (VRMMM)

VRMMM is more than the sound of a Formula 1 race car at the starting line – it’s the preeminent benchmarking tool for risk management!

The Vendor Risk Management Maturity Model (VRMMM) helps organizations to assess the maturity of their third-party risk programs. The VRMMM offers a set of comprehensive best practices and industry benchmarks. Risk programs measure their organizations in comparison to these standards, gaining an understanding of requirements, risks, and how risks are managed across departments. Using the VRMMM, risk programs can plan projects, improvements and resource adjustments.

“The VRMMM is helping us to pinpoint and create a three-year road map for maturity which is incredible! I know many colleagues that have paid hundreds of thousands of dollars for current state and future state maturation road maps. The VRMMM has done that for us. We have been able to cherry-pick what works, what we think is more immediate, and what may be a future need.”

-VRMMM User, Major American Daily Newspaper

What’s New In The 2025 VRMMM?

Shared Assessments has introduced an “Interagency Guidance Gap Analysis” as an accompaniment to the 2025 Vendor Risk Management Maturity Model (VRMMM). This Gap Analysis is intended to be used as an active worksheet or a tool and guides organizations as they implement the Interagency Guidance released by the FDIC, FRB, and the OCC.

Connecting directly with the VRMMM, the Interagency Guidance Gap Analysis indicates questions or areas within the VRMMM organizations can focus on to remediate or to build out specific parts of their TPRM programs. The Interagency Guidance and Gap Analysis both perpetuate a risk-based approach, balancing risks with appropriate controls.

You can read more about the Interagency Guidance Gap Analysis here.

How Does The VRMMM Work?

The VRMMM works by breaking third-party risk down into eight categories and explores more than 250 program elements that should form the basis of a well-run third-party risk management program. VRMMM allows practitioners to:

  • Adapt a program structure by type of outsourcer services and maturity level based on industry, organization size and risk tolerance
  • Make informed decisions for resource allocation and vendor-related risk
  • Establish a baseline against which to benchmark program maturity
  • Use program governance as a foundational element for other risk program criteria
  • Identify components that will deliver the highest organizational value
  • Track program maturity over time to determine and communicate progress
  • Identify areas for improvement

The VRMMM is broken down into three sections – Foundations, Operations, and Measurements.

VRMMM Foundation Section: Ready

The foundational section of the VRMMM focuses on the building of vendor risk management programs through defining objectives and goals. Foundations also covers the policies, standards, procedures, leading all the way up to contracts and vendor termination or exit procedures.

VRMMM Operations Section: Set

The secondary section of the VRMMM focuses on implementing vendor risk management programs. This section covers the breadth of TPRM operations, from the assessment process itself to communications and information sharing. It also provides an overview of the skills & expertise needed for performing the risk management motion.

VRMMM Measurements Section: Accelerate!

The final section of the VRMMM helps with optimizing vendor risk management programs, from Tools, Measurement & Analysis to Monitoring & Review.

Ready, Set, Accelerate Your Risk Management Program – Join Us To See How With The VRMMM

The VRMMM allows risk management programs to benchmark and plan, and ultimately to accelerate. I welcome you to join me and my colleague Jennifer Hancock (Senior Advisor, Shared Assessments) for our upcoming session on the VRMMM on November 13, 2024, 11:00am – 11:30am ET. Jennifer has implemented the VRMMM within many organization’s risk management programs as a consultant; our session will be use-case focused as we talk through how programs execute the VRMMM and use it within their programs. See you there!