TPRM Metrics – Telling Your Risk Story

With his customary warmth, Tom Garrubba, Vice President, Shared Assessments, led a fireside chat about TPRM metrics with industry experts. This blogpost offers an overview of the session, sponsored by OneTrust, and outlines the 14 key metrics identified through this collaboration.


Garrubba brought together Cliff Vachon (Sr. Manager, Global Security – Third Party Risk Governance, CVS Health), Philip Bennett (Manager Information Security Governance, Horizontal Services, Navy Federal Credit Union), and Nasser Fattah (US Steering Committee Vice Chair, Shared Assessments,Cyber, IT, and Third-Party SME) to discuss their views on important metrics – both for managing risk teams and for presenting the overall program to the C-Suite and upper management.


Cliff Vachon approaches metrics from both a management and organizational risk standpoint. As a people manager, Vachon aims to measure how workload of assessments is balanced across his team. As a risk manager, Vachon wants to understand the lifecycle of assessments. (How many days are assessments taking and why? Are there idled assessments? Is it my program or the third party slow to respond?) As his department’s core function is reducing risk to the organization, Vachon gauges these metrics to make his organization more secure:

  • Overall Assessment Health (How many assessments are past their reassessment date?)
  • Status of Exceptions (Remediation plans managed and tracked)
  • Percent of Third Parties Under Continuous Monitoring
  • Reduction in Residual Risk


Vachon recommends a periodic review of metrics or KPIS. Be open to recalibrating what you measure. Approach this with  “why we are we tracking this metric and what action are we taking on it once measured?” Check in and see if the metrics you capture add the intended value to your program and organization.


Phil Bennett describes a metrics journey where the right measurements vary by program and organization in an evolving landscape. Across programs and organizations, there are varying expectations for risk tolerance. It is important to listen to Infosec, Front Office and Chief Risk Officers. These people and departments have a firm grasp on the supply chain and work directly with threats. Additionally, the accuracy of data and availability of data is key. (Stable data may not be available – how will you react in this setting?)


Bennet realizes it is a challenge as a risk manager to figure out “what I own, what I am responsible for and to meet business expectations or to fulfill the responsibility risk remediation.” What you can measure depends on size of staff and organization; appropriate level-setting on what you can reasonably support is wise. With these variables acknowledged, Bennet offers these metrics:

  • Filter Based on Risk Elements (risk level, organization, business, SIG “finding”
  • Tiering of Inherent or Residual Risk
  • Comparison View in Dashboards (Between business units – subtle healthy competition)

Nasser Fattah knows that capturing the right metrics in TPRM is an iterative process. Fattah recommends that you regularly ask yourself how you are using metrics to inform, influence or trigger action. This question will help you to think about addressing your audience (existing executives or new board members) who might think about risk in a different way.

Understand if you have a process in place to produce metrics in a repeatable, timely manner. Also, when you look at the metrics you measure, understand if and why these indicators are not hitting the mark and examine the correlated business impact. (Do these metrics impact business continuity?)

Fattah identifies the operational metrics below as important:

  • Percentage Service Level Agreements (SLA) met to complete due diligence
  • Percentage SLA requiring findings/risks to be reported to the business
  • Timely Escalations (based on expected due dates for the questionnaire, evidence, etc. (keeping business apprised of roadblocks that may impact SLA)


From a Governance standpoint, Fattah suggests tracking these metrics:

  • Number of contracts signed without required due diligence
  • Number of critical and high-risk vendors where internal risk assessment not updated at least yearly
  • Number of critical and high-risk vendors not having undergone due diligence (either onboard or ongoing)
  • Number of critical or high-risk vendors with high risks 


Find access to the webinar recording here.