A VRMMM Helps Third Party Risk Programs

  • Adapt a program structure by type of outsourcer services and maturity level based on industry, organization size and risk tolerance.
  • Make informed decisions for resource allocation and vendor-related risk.
  • Establish a baseline against which to benchmark program maturity.
  • Use program governance as a foundational element for other risk program criteria.
  • Identify components that will deliver the highest organizational value.
  • Track program maturity over time to determine and communicate progress, and identify areas for improvement.

How Our Third Party Risk Maturity Model Works

The VRMMM breaks third party risk down into eight categories and explores more than 200 program elements that should form the basis of a well-run third party risk management program.


Optimizing Vendor Risk Management Programs

8.0 Monitor & Review
Contract Provision Tracking & Maintenance; Monitoring Service Level Agreements and Performance; Potential Changes to Internal & External Environments; Self-Assessment/Audit Readiness & Assurance; Controls Validation &/or Testing; Continuous Monitoring Program.

7.0 Tools, Measurements & Analysis:
Workflow Management; Vendor Risk Scoring Tools; Vendor Financial Analysis; Vendor Business Risk; Tool Automation.


Implementing Vendor Risk Management Programs

6.0 Communications & Information Sharing:
Vendor Risk Program Integration; Dashboards/Scorecards; Operational Management Reporting; Board & Executive Reporting; Communication Protocols.

5.0 Skills & Expertise:
Roles & Responsibilities; Staffing Levels & Competencies; Training & Awareness; Budget & Resources; Certifications.

4.0 Vendor Risk Assessment Process:
Outsourcing Risk Assessment Process; Vendor Assessment and Classification; Vendor Assessment Operational Processes; Vendor Assessment Metrics Reporting; Ongoing Vendor Risk Assessments; Process Automation.


Building Vendor Risk Management Programs

3.0 Contracts:
Vendor Contract Management Operational Procedures; Criteria/Guidelines for Standard Contract Provisions; Relationship Management; Management Oversight.

2.0 Policies, Standards, Procedures:
Vendor Risk Management Policy; Vendor Inventory Requirements; Vendor Due Diligence Standards; Vendor Classification Operational Procedures; Contract Management Governance; Vendor Management Procedures; Vendor Termination or Exit Procedures.

1.0 Program Governance:
Formalized Vendor Risk Governance Model/Structure; Defined Program Objectives/Goals; Established Risk Posture; Board Reporting/Management Oversight; Standards of Conduct.

The VRMMM is Used by 3,000+ Organizations to Benchmark and Evaluate TPRM Programs

Vendor Risk Management Tools

Our vendor risk management tools empower you to manage the full vendor assessment life cycle.


Vendor Risk Management Maturity Model
Benchmark and evaluate third party risk programs

  • VRMMM Tool
  • Vendor Risk Management
  • Benchmark Study
  • VRMMM Executive Summary
  • VRMMM Executive Summary Template
  • VRMMM Getting Started Guide

Free to Download


Standardized Information Gathering Questionnaire
Build, customize, analyze and store vendor questionnaires

  • SIG Management Tool
  • SIG Getting Started Guide

Single License: $7500 / Year


Standardized Control Assessment Procedure
Perform onsite or virtual assessments of vendors

  • SCA Standards
  • SCA Report Template
  • Assessment Best Practices Checklist
  • SCA Executive Summary Data Table Templates
  • SCA Executive Summary Reporting Template
  • SCA Getting Started Guide

Single License: $5000 / Year


Third Party Privacy Tools
Scope and evaluate a third party privacy assessment

  • Privacy Tools Questionnaire
  • Test Procedures
  • Target Data Tracker
  • Target Data Tracker Getting Started Guide

Only Available with Toolkit License