VRMMM – Vendor Risk Management Maturity Model

The VRMMM evaluates third-party risk programs against a set of comprehensive best practices and industry benchmarks. The VRMMM includes the Third Party Risk Management Benchmark Study!

$1,500 / 1 Year
VRMMM Corporate License
Remove this when you have message

VRMMM Helps Organizations Create or Mature Third-Party Risk Management Programs

  • Adapt a program structure by type of outsourcer services and maturity level based on industry, organization size and risk tolerance.
  • Make informed decisions for resource allocation and vendor-related risk.
  • Establish a baseline against which to benchmark program maturity.
  • Use program governance as a foundational element for other risk program criteria.
  • Identify components that will deliver the highest organizational value.
  • Track program maturity over time to determine and communicate progress, and identify areas for improvement.

How Our Third-Party Risk Maturity Model Works

The VRMMM breaks third-party risk down into eight categories and explores more than 250 program elements that should form the basis of a well-run third-party risk management program.


Building Vendor Risk Management Programs

1.0 Program Governance
Risk Management Governance Model; Defined Program Objectives and Goals; Risk Management Strategy; Board Reporting and Management Oversight; ESG and Codes Of Conduct; Mergers and Acquisitions

2.0 Policies, Standards, Procedures
Vendor Risk Management Policy and Risk Categorization; Vendor and Data Inventory Requirements; Due Diligence Standards; Risk Rating and Vendor Classification; Contract Management Governance; Vendor Risk Management Lifecycle

3.0 Contracts
Contract Operational Procedures; Criteria and Guidelines for Standard Contract Provisions; Relationship Management; Management Oversight; Fourth and Nth Party Management; Vendor Termination or Exit Procedures


Implementing Vendor Risk Management Programs

4.0 Vendor Risk Assessment Process
Pre-Outsourcing Risk Evaluation; Vendor Risk Tiering & Classification; Vendor Risk Assessment Operational Processes; Vendor Risk Assessment Metrics Reporting; Ongoing Vendor Risk Assessments; Process Automation

5.0 Skills & Expertise
Roles & Responsibilities; Staffing Levels & Competencies; Education, Training & Awareness; Budget & Resources; Qualifications & Certifications; Talent Management

6.0 Communication & Information Sharing
Vendor Risk Program Integration; Dashboards & Scorecards; Program Operations & Reporting; Board & Executive Reporting; Communication Protocols; Risk or Steering Committee Structures



Optimizing Vendor Risk Management Programs

7.0 Tools, Measurement & Analysis Workflow Management; Vendor Risk Scoring Tools; Vendor Financial Analysis; Vendor Business Risk; Tool Automation; Re-Assessment Triggers

8.0 Monitoring & Review
Contract Provision Tracking & Maintenance; Monitoring Service Level Agreements and Performance; Potential Changes to Internal & External Environments; Self-Assessment/Audit Readiness & External Assurance; Controls Validation &/or testing; Continuous Monitoring Program


The VRMMM is Used by 3,000+ Organizations to Benchmark and Evaluate TPRM Programs