VRMMM – Vendor Risk Management Maturity Model
The VRMMM evaluates third-party risk programs against a set of comprehensive best practices and industry benchmarks. The VRMMM includes the Third Party Risk Management Benchmark Study!
VRMMM Helps Organizations Create or Mature Third-Party Risk Management Programs
- Adapt a program structure by type of outsourcer services and maturity level based on industry, organization size and risk tolerance.
- Make informed decisions for resource allocation and vendor-related risk.
- Establish a baseline against which to benchmark program maturity.
- Use program governance as a foundational element for other risk program criteria.
- Identify components that will deliver the highest organizational value.
- Track program maturity over time to determine and communicate progress, and identify areas for improvement.
How Our Third-Party Risk Maturity Model Works
The VRMMM breaks third-party risk down into eight categories and explores more than 250 program elements that should form the basis of a well-run third-party risk management program.
Foundation
Building Vendor Risk Management Programs
1.0 Program Governance
Risk Management Governance Model; Defined Program Objectives and Goals; Risk Management Strategy; Board Reporting and Management Oversight; ESG and Codes Of Conduct; Mergers and Acquisitions
2.0 Policies, Standards, Procedures
Vendor Risk Management Policy and Risk Categorization; Vendor and Data Inventory Requirements; Due Diligence Standards; Risk Rating and Vendor Classification; Contract Management Governance; Vendor Risk Management Lifecycle
3.0 Contracts
Contract Operational Procedures; Criteria and Guidelines for Standard Contract Provisions; Relationship Management; Management Oversight; Fourth and Nth Party Management; Vendor Termination or Exit Procedures
Operations
Implementing Vendor Risk Management Programs
4.0 Vendor Risk Assessment Process
Pre-Outsourcing Risk Evaluation; Vendor Risk Tiering & Classification; Vendor Risk Assessment Operational Processes; Vendor Risk Assessment Metrics Reporting; Ongoing Vendor Risk Assessments; Process Automation
5.0 Skills & Expertise
Roles & Responsibilities; Staffing Levels & Competencies; Education, Training & Awareness; Budget & Resources; Qualifications & Certifications; Talent Management
6.0 Communication & Information Sharing
Vendor Risk Program Integration; Dashboards & Scorecards; Program Operations & Reporting; Board & Executive Reporting; Communication Protocols; Risk or Steering Committee Structures
Measurements
Optimizing Vendor Risk Management Programs
7.0 Tools, Measurement & Analysis Workflow Management; Vendor Risk Scoring Tools; Vendor Financial Analysis; Vendor Business Risk; Tool Automation; Re-Assessment Triggers
8.0 Monitoring & Review
Contract Provision Tracking & Maintenance; Monitoring Service Level Agreements and Performance; Potential Changes to Internal & External Environments; Self-Assessment/Audit Readiness & External Assurance; Controls Validation &/or testing; Continuous Monitoring Program