VRMMM – Vendor Risk Management Maturity Model
The VRMMM evaluates third-party risk programs against a set of comprehensive best practices and industry benchmarks.
VRMMM Helps Organizations Create or Mature Third-Party Risk Management Programs
- Adapt a program structure by type of outsourcer services and maturity level based on industry, organization size and risk tolerance.
- Make informed decisions for resource allocation and vendor-related risk.
- Establish a baseline against which to benchmark program maturity.
- Use program governance as a foundational element for other risk program criteria.
- Identify components that will deliver the highest organizational value.
- Track program maturity over time to determine and communicate progress, and identify areas for improvement.
How Our Third-Party Risk Maturity Model Works
The VRMMM breaks third-party risk down into eight categories and explores more than 250 program elements that should form the basis of a well-run third-party risk management program.
Foundation
Building Vendor Risk Management Programs
1.0 Program Governance
Risk Management Governance Model; Defined Program Objectives and Goals; Risk Management Strategy; Board Reporting and Management Oversight; ESG and Codes Of Conduct; Mergers and Acquisitions
2.0 Policies, Standards, Procedures
Vendor Risk Management Policy and Risk Categorization; Vendor and Data Inventory Requirements; Due Diligence Standards; Risk Rating and Vendor Classification; Contract Management Governance; Vendor Risk Management Lifecycle
3.0 Contracts
Contract Operational Procedures; Criteria and Guidelines for Standard Contract Provisions; Relationship Management; Management Oversight; Fourth and Nth Party Management; Vendor Termination or Exit Procedures
Operations
Implementing Vendor Risk Management Programs
4.0 Vendor Risk Assessment Process
Pre-Outsourcing Risk Evaluation; Vendor Risk Tiering & Classification; Vendor Risk Assessment Operational Processes; Vendor Risk Assessment Metrics Reporting; Ongoing Vendor Risk Assessments; Process Automation
5.0 Skills & Expertise
Roles & Responsibilities; Staffing Levels & Competencies; Education, Training & Awareness; Budget & Resources; Qualifications & Certifications; Talent Management
6.0 Communication & Information Sharing
Vendor Risk Program Integration; Dashboards & Scorecards; Program Operations & Reporting; Board & Executive Reporting; Communication Protocols; Risk or Steering Committee Structures
Measurements
Optimizing Vendor Risk Management Programs
7.0 Tools, Measurement & Analysis Workflow Management; Vendor Risk Scoring Tools; Vendor Financial Analysis; Vendor Business Risk; Tool Automation; Re-Assessment Triggers
8.0 Monitoring & Review
Contract Provision Tracking & Maintenance; Monitoring Service Level Agreements and Performance; Potential Changes to Internal & External Environments; Self-Assessment/Audit Readiness & External Assurance; Controls Validation &/or testing; Continuous Monitoring Program
What’s Included In The VRMMM?
After purchasing the VRMMM, you will be able to immediately download the product and supporting materials.
VRMMM Product
The VRMMM product itself.
VRMMM User Guide
The VRMMM User Guide provides a summary on how to use the VRMMM.
VRMMM Enhancement Document
This document covers the changes and revisions to the most recent version of the VRMMM.
Interagency Guidance Gap Analysis
The IAG Gap Analysis maps the Interagency Guidance to the rescinded FRB, FDIC, and OCC guidance. Organizations can use the Gap Analysis to identify new requirements and assess compliance. This tool maps to the Shared Assessments VRMMM.