VRMMM Helps Organizations Create or Mature Third Party Risk Management Programs

  • Adapt a program structure by type of outsourcer services and maturity level based on industry, organization size and risk tolerance.
  • Make informed decisions for resource allocation and vendor-related risk.
  • Establish a baseline against which to benchmark program maturity.
  • Use program governance as a foundational element for other risk program criteria.
  • Identify components that will deliver the highest organizational value.
  • Track program maturity over time to determine and communicate progress, and identify areas for improvement.

How Our Third-Party Risk Maturity Model Works

The VRMMM breaks third-party risk down into eight categories and explores more than 250 program elements that should form the basis of a well-run third-party risk management program.

VRMMM Graphic Final


Building Vendor Risk Management Programs

1.0 Program Governance
Risk Management Governance Model; Defined Program Objectives and Goals; Risk Management Strategy; Board Reporting and Management Oversight; ESG and Codes Of Conduct; Mergers and Acquisitions

2.0 Policies, Standards, Procedures
Vendor Risk Management Policy and Risk Categorization; Vendor and Data Inventory Requirements; Due Diligence Standards; Risk Rating and Vendor Classification; Contract Management Governance; Vendor Risk Management Lifecycle

3.0 Contracts
Contract Operational Procedures; Criteria and Guidelines for Standard Contract Provisions; Relationship Management; Management Oversight; Fourth and Nth Party Management; Vendor Termination or Exit Procedures


Implementing Vendor Risk Management Programs

4.0 Vendor Risk Assessment Process
Pre-Outsourcing Risk Evaluation; Vendor Risk Tiering & Classification; Vendor Risk Assessment Operational Processes; Vendor Risk Assessment Metrics Reporting; Ongoing Vendor Risk Assessments; Process Automation

5.0 Skills & Expertise
Roles & Responsibilities; Staffing Levels & Competencies; Education, Training & Awareness; Budget & Resources; Qualifications & Certifications; Talent Management

6.0 Communication & Information Sharing
Vendor Risk Program Integration; Dashboards & Scorecards; Program Operations & Reporting; Board & Executive Reporting; Communication Protocols; Risk or Steering Committee Structures



Optimizing Vendor Risk Management Programs

7.0 Tools, Measurement & Analysis Workflow Management; Vendor Risk Scoring Tools; Vendor Financial Analysis; Vendor Business Risk; Tool Automation; Re-Assessment Triggers

8.0 Monitoring & Review
Contract Provision Tracking & Maintenance; Monitoring Service Level Agreements and Performance; Potential Changes to Internal & External Environments; Self-Assessment/Audit Readiness & External Assurance; Controls Validation &/or testing; Continuous Monitoring Program


The VRMMM is Used by 3,000+ Organizations to Benchmark and Evaluate TPRM Programs

Vendor Risk Management Tools

Our vendor risk management tools empower you to manage the full vendor assessment life cycle.


Vendor Risk Management Maturity Model
Benchmark and evaluate third-party risk programs

  • VRMMM User Procedure Guide
  • VRMMM TPRM Program Assessment Tool
  • VRMMM Executive Summary Reporting Template
  • VRMMM Executive Summary Data Tables

Free to Download


Standardized Information Gathering Questionnaire
Build, customize, analyze and store vendor questionnaires

  • SIG User Procedure Guide 
  • SIG Manager Tool 
  • SIG Implementation Workbook 
  • SIG Documentation Artifacts Request List

Single License: $6000 / Year


Standardized Control Assessment Procedure
Perform onsite or virtual assessments of vendors

  • SCA User Procedure Guide
  • SCA Tool
  • SCA Best Practices Checklist
  • SCA Documentation Artifacts Checklist
  • SCA Executive Reporting Template
  • SCA Executive Summary Data Tables
  • SCA Guidelines Final

Single License: $3000 / Year

Data Governance

Data Governance Tools
Scope and evaluate a third-party privacy assessment

  • Data Governance User Procedure Guide
  • Privacy SIG Questionnaire Template
  • Privacy SCA Procedure Template
  • Target Data Tracker

Single License: $2500 / Year