VRMMM – Vendor Risk Management Maturity Model

The VRMMM evaluates third-party risk programs against a set of comprehensive best practices and industry benchmarks. It helps organizations set goals and is the “planning” and “evaluation” portion of our third-party risk toolkit which is used by over 15,000 organizations worldwide.

VRMMM Helps Organizations Create or Mature Third Party Risk Management Programs

Adapt a program structure by type of outsourcer services and maturity level based on industry, organization size and risk tolerance.
Make informed decisions for resource allocation and vendor-related risk.
Establish a baseline against which to benchmark program maturity.
Use program governance as a foundational element for other risk program criteria.
Identify components that will deliver the highest organizational value.
Track program maturity over time to determine and communicate progress, and identify areas for improvement.

How Our Third-Party Risk Maturity Model Works

The VRMMM breaks third-party risk down into eight categories and explores more than 250 program elements that should form the basis of a well-run third-party risk management program.

Foundation

Building Vendor Risk Management Programs

1.0 Program Governance
Risk Management Governance Model; Defined Program Objectives and Goals; Risk Management Strategy; Board Reporting and Management Oversight; ESG and Codes Of Conduct; Mergers and Acquisitions

2.0 Policies, Standards, Procedures
Vendor Risk Management Policy and Risk Categorization; Vendor and Data Inventory Requirements; Due Diligence Standards; Risk Rating and Vendor Classification; Contract Management Governance; Vendor Risk Management Lifecycle

3.0 Contracts
Contract Operational Procedures; Criteria and Guidelines for Standard Contract Provisions; Relationship Management; Management Oversight; Fourth and Nth Party Management; Vendor Termination or Exit Procedures

Operations

Implementing Vendor Risk Management Programs

4.0 Vendor Risk Assessment Process
Pre-Outsourcing Risk Evaluation; Vendor Risk Tiering & Classification; Vendor Risk Assessment Operational Processes; Vendor Risk Assessment Metrics Reporting; Ongoing Vendor Risk Assessments; Process Automation

5.0 Skills & Expertise
Roles & Responsibilities; Staffing Levels & Competencies; Education, Training & Awareness; Budget & Resources; Qualifications & Certifications; Talent Management

6.0 Communication & Information Sharing
Vendor Risk Program Integration; Dashboards & Scorecards; Program Operations & Reporting; Board & Executive Reporting; Communication Protocols; Risk or Steering Committee Structures

Measurements

Optimizing Vendor Risk Management Programs

7.0 Tools, Measurement & Analysis Workflow Management; Vendor Risk Scoring Tools; Vendor Financial Analysis; Vendor Business Risk; Tool Automation; Re-Assessment Triggers

8.0 Monitoring & Review
Contract Provision Tracking & Maintenance; Monitoring Service Level Agreements and Performance; Potential Changes to Internal & External Environments; Self-Assessment/Audit Readiness & External Assurance; Controls Validation &/or testing; Continuous Monitoring Program