01 - SA - 2022 - VRMMM - User Procedure - Guide - 20210928

THIRD PARTY RISK MANAGEMENT TOOLKIT
2022 Vendor Risk Management Maturity Model

User Procedure Guide
Table of Contents
Third Party Risk Management Toolkit — Overview . . . . . . . . . 1
Vendor Risk Management Maturity Model (VRMMM) . . . . . . . 2

Build a Program,
Implement a Program,
Optimize a Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Your Organization’s Maturity Levels. . . . . . . . . . . . . . . . . . 3

Current Maturity vs. Target Maturity . . . . . . . . . . . . . . . . . . 3
Start Here. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Using VRMMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Doing the Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . 4
VRMMM Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Accountability Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Entering Values for Maturity Levels. . . . . . . . . . . . . . . . . . . 6

To turn Target Maturity on or off:. . . . . . . . . . . . . . . . . . . . 6
The VRMMM Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . 7
VRMMM Program Components . . . . . . . . . . . . . . . . . . . . . 8
Benchmarking Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Shared Assessments Third Party Risk Management Toolkit ii
© 2021, 2022 The Santa Fe Strategy Center LLC dba Shared Assessments. All Rights Reserved.
VRMMM
VENDOR RISK MANAGEMENT MATURITY MODEL (VRMMM)
USER PROCEDURE GUIDE
THIRD PARTY RISK MANAGEMENT TOOLKIT — OVERVIEW

The Shared Assessments TPRM Toolkit is a Evaluate:
comprehensive set of tools that enable risk Vendor Risk Management Maturity Model (VRMMM)
professionals to manage third party risk The VRMMM TPRM Program Assessment tool provides an industry-based maturity level ranking guide
throughout each phase of the relationship that enables objective identification of the maturity of each element of a TPRM program. The VRMMM
lifecycle. The Toolkit includes components provides a project management tracking dashboard to document results. Organizations can identity
to evaluate your program, assess third party their desired or Target Maturity and utilize the VRMMM to identity process improvements, or to develop
controls, and enhance data governance in third the business case for investment in the TPRM program.
party relationships.
Trust:
They embody the four phases of a mature Standardized Information Gathering (SIG) Manager
vendor assessment lifecycle: Evaluate, Trust, The SIG Manager is a comprehensive tool to enable the scoping and configuration of SIG
Verify, and Manage. questionnaires. The SIG Manager provides two pre-configured questionnaires, and the ability to
easily create customized assessments. The SIG’s Content Library provides access to a comprehensive
inventory of questions used for controls evaluation. The SIG Manager automates the creation and
analysis of SIG responses, and options to maintain SIG data bringing efficiency to the assessment
process.
Verify:
Standardized Control Assessment (SCA) The Standardized Control Assessment (SCA) Tool is an
objective and configurable set of controls evaluation procedures for performing third party risk
assessments. The SCA provides an assessor an objective methodology for conducting the examination
of controls related to each scoped risk domain. The SCA provides a comprehensive and summary
record of assessment results needed for TPRM reporting.
Manage:
Data Governance with Target Data Tracking (TDT)
The Target Data Tracker (TDT) is a data governance tool that enables the identification, tracking, and
monitoring of the use and disclosure of personal data to third and fourth parties. The tool enhances
your process to maintain data/vendor inventories and creates a due diligence artifact that meet specific
contractual obligations for conveying data protection safeguards.
User Procedure Guide: VRMMM Shared Assessments Third Party Risk Management Toolkit GLOSSARY 1
VRMMM
USER PROCEDURE GUIDE

The Vendor Risk Management Maturity Model BUILD A PROGRAM,
(VRMMM) is a self-assessment tool to assist
organizations in developing a mature TPRM IMPLEMENT A PROGRAM,
program, and benchmarking that program OPTIMIZE A PROGRAM
against a comprehensive set of best practices.
Broken into eight functional areas, the model The VRMMM describes and defines the
explores more than 250 distinct program components of a mature Third Party Risk
elements that form the basis of a well-run third Management program.
party risk management program.
The eight categories of the VRMMM model
Organizations can use the VRMMM as a explore more than 250 elements that should
framework to quantify the business case for form the basis of a well-run Third Party Risk
resource investment in the TRPM program. Management program.
Each phase of building, implementing, and

optimizing is mapped into these categories.
The VRMMM product provides a methodology

to create risk metrics that can be quantified,
compared over time, and integrated with risk
ratings in the organization’s overall enterprise
risk management program.
YOUR ORGANIZATION’S Maturity Levels
If you turn on Target Maturity values, VRMMM
adds an extra column to its program categories
LEVEL MEANING
MATURITY LEVELS and to the Dashboard. The Dashboard also
0 Non-existent. The vendor risk management activity
is not performed within the organization. shows areas that are below target, near target,
VRMMM is based on industry “capability or at-or-above target by color-coding red,
maturity model” concepts. It uses a scale of Initial visioning. The organization is considering yellow, or white, respectively.
how to best structure this activity as part of an
0–5 to identify the maturity level that your
organization has achieved among the VRMMM’s
1 effort to achieve full implementation. Vendor risk
management activity is performed on an ad hoc
eight Program Categories. basis.
Determining roadmap to achieve success. There Color-coded program categories: Red for 2 or
You can see a full chart of maturity levels — with is a management-approved plan to structure the more values below target, Yellow for 1 value
detailed examples and descriptions — in the 2 activity as part of an effort to achieve full program
implementation, but the vendor risk management
below target. White for at-or-above target.
VRMMM product itself on the Maturity Level activity is performed on an ad hoc basis.
Ranking Guide tab. Identify the level based on
the description that most accurately reflects the Fully determined and established. The organization
has fully defined, approved, and established the
current state of the TPRM Program.
3 vendor risk management activity, but it is not yet
fully operational. Metrics and enforcement are not
yet fully in place.
Hint: Most users print out the Maturity Level
Ranking Guide and use it during the self- Fully implemented and operational. The vendor
assessment process. You’ll find the Guide on its 4 risk management activity is fully operational and all
compliance measures are in place.
own tab in the VRMMM product.
Continuous improvement underway. The
organization is striving towards operational
5 excellence, understands what are currently best-in-
CURRENT MATURITY VS. class performance levels, and regularly implements

program changes to achieve them.
TARGET MATURITY
The Target Maturity rating values are optional.
VRMMM provides two types of maturity Some organizations may not have established
valuation: Current Maturity and Target Maturity. a desired state for process maturity or may
establish their future state only after their initial
Current Maturity represents your assessment evaluation. During the actual self-assessment
of where your organization is on the spectrum process, you may wish to conceal identified
of VRMMM maturity levels for each statement. Target Maturity values from people who are
Current Maturity is an excellent benchmark for assessing your organization’s TPRM program to
your organization in estimating where you are in ensure accurate responses.
the process of establishing a TPRM program.
Note: You must turn on the display of Target
Target Maturity is a rating that represents the Maturity values if you want to use them.
maturity goal for your organization.
VRMMM Dashboard showing color-coded Target Maturity

hidden (top) and displayed (bottom).
START HERE USING VRMMM
1. Start Excel and open the VRMMM. VRMMM operates in two stages: O Interpretation and planning: Once you have
performed the self-assessment, interpreting
2. Enable Content and Enable Editing. O Self-assessment: Provide your honest the assessment provides you with direction
assessment using the descriptions in for creating and improving your TPRM
3. Save the VRMMM to a different file name the Maturity Ranking Guide of your program. VRMMM provides you with a vetted
so that you will have a pristine VRMMM if organization’s TPRM program maturity framework and set of guideposts to build
you need to install it again. for each of the statements in the Third your policies, processes, and governance.
Party Risk Management program category
4. Work with the copy of the VRMMM that tabs — Program Governance, Policies,
you just made. Standards, Procedures, etc. To get the DOING THE ASSESSMENT
most from VRMMM, you can provide your
Do Do Not organization’s Target Maturity goal for In using VRMMM, you move through a series
Do open the VRMMM Do not run VRMMM from
each of these categories (along with any of numbered program category tabs along the
and save it to a different a shared network drive. comments). VRMMM provides an overall bottom of the product, providing a maturity
file name so that you You can store VRMMM Dashboard assessment as you progress, value for each statement on the tab. Each
have a clean and unused on a shared drive, but along with the details from each of the tabs. tab focuses on a different category of Third
master. Then use the you must copy it to a Party Risk Management and benchmarking
copy of the original. local computer to use it. You can also use the VRMMM to vet the that measures your program against a
Do enable content and Do not delete, add, maturity of a third party’s TPRM program comprehensive set of best practices.
enable editing, then rename, or move rows, to gain assurance on fourth-party risk. In
enter your company columns, or worksheets this use case, you may send the VRMMM to When completed, the VRMMM Dashboard can
name when prompted. on the VRMMM. a critical service provider to complete their provide a summary of areas for improvement
Do turn off AutoSave. Do not change the file own self-assessment. The results will provide and areas where your organization is doing well.
AutoSave can be type from .XLSM when insight into the maturity of their TPRM
annoying. saving VRMMM. program and how they are managing the
Do not attempt to risks of their subcontracted relationships
modify the underlying
programming (the You can save the VRMMM for year-over-year
macros). comparisons and use the VRMMM Executive
Do not try to split the Summary Data Tables and Reporting
product into individual Templates spreadsheet to present your
tabs. findings to management.
When completed, the VRMMM Dashboard can show areas for

In using the VRMMM, you move through a series of numbered tabs. improvement and areas where your organization is doing well.
VRMMM STRUCTURE
VRMMM is organized in eight high-level
program categories, grouped into three stages
— Building Your Program, Implementing Your
Program, and Optimizing Your Program.
Each of the eight categories has six attributes.

The model explores more than 250 distinct
program elements that form the basis of a well-
run third party risk management program.
ACCOUNTABILITY MATRIX
The Accountability Matrix identifies and
records by resource name the people and
internal departments that can provide accurate
responses about program maturity in the
organization. The Accountability Matrix also
shows what sections of the VRMMM tool are
pertinent to those resources.
The most senior individual or governing body

directly in charge of vendor or third party risk
management should review the fully completed
VRMMM assessment to look for inconsistencies.
The VRMMM Dashboard tracks the progress of
the assessment.
The VRMMM can serve as a guide or reference

point that identifies those areas of the
program that are not currently meeting your
organization’s goals or aspirations.
ENTERING VALUES FOR MATURITY LEVELS
On each tab, VRMMM presents a series of To view an attribute definition:
statements that convey the requirements or
actions an organization takes or has in place 1. On any tab on which you’re entering a
within their TPRM program. The statements maturity value, click the attribute (not the
are organized by program category and by statement). VRMMM displays the definition
attribute within that category. of the attribute.
See page 3 for more about VRMMM ratings.
This page shows Target Maturity as ON.
3. (Target Maturity, optional) For each

To turn Target Maturity on or off: statement, enter the organization’s Target
Maturity level.
Note: If you’ve already entered Target Maturity
values, hiding or displaying Target Maturity The greatest difference below Target
leaves those values intact. This allows you to 2. Click elsewhere on the spreadsheet to Maturity for any one statement within an
conceal Target Maturity values from those close the definition. attribute determines the overall color-
completing the VRMMM but retain them for coding of the attribute. This color-coding
later analysis. To enter maturity values: also is shown on the Dashboard.
1. Click the Dashboard tab. 1. Click the tab for the area you want to For example, even if only one statement
assess. has a Current Maturity of 3 and a Target
2. From the Target Maturity pulldown at Maturity of 5, that statement is highlighted
the top of the page, select Display Target 2. For each statement, type (or choose from in red and the overall attribute also is
Maturity or Hide Target Maturity. The the pulldown) the organization’s Current highlighted in red.
default condition is Hide Target Maturity. Maturity level on a scale from 0–5. See
“Your Organization’s Maturity Levels,” on Tip: You can use Excel’s fill-down command
page 3 for information on how to (Ctrl-D or Cmd-D) to put the same value into
determine maturity levels. multiple fields.
When you select Display or Hide, VRMMM

immediately makes the change throughout
the product on all tabs.
With values for both Current Maturity and Target Maturity in place,
VRMMM color-codes where you meet or exceed target (white),
are below target by 1 (yellow), or below target by 2 or more
(red). The greatest difference below Target Maturity for any one
statement determines the color-coding of the attribute.
THE VRMMM DASHBOARD

The VRMMM Dashboard provides a summary
of your maturity benchmarking session that
highlights areas of satisfactory performance as
well as areas that may need improvement. Program Categories
O The Dashboard color-codes only if you have

Target Maturity displayed and you have
entered values into the Target Maturity fields. Percent of Category
Completed
No Target Maturity entry, no color-coding.
O The Dashboard displays the color-code of

Aggregate Maturity
each Attribute. Each Attribute displays the Level
Current Maturity
color-code of the criterion with the greatest
difference below Target Maturity. Program Attributes
Target Maturity
O VRMMM Total displays an Aggregate
Maturity Level for the benchmarking session.
O Adjust any data on its Category tab.
VRMMM PROGRAM COMPONENTS
This chart shows the organization of the VRMMM program components within each category.
Move through the VRMMM categories from left to right — building your program, implementing your program, and optimizing your program.
UNDERSTANDING THE HIERARCHY OF THE VRMMM PROGRAM COMPONENTS

BUILDING YOUR PROGRAM IMPLEMENTING YOUR PROGRAM OPTIMIZING YOUR PROGRAM
6.0
3.0 CONTRACT
2.0 POLICIES, 4.0 VENDOR RISK COMMUNICATION 7.0 TOOLS,
1.0 PROGRAM DEVELOPMENT, 5.0 SKILLS AND 8.0 MONITORING
STANDARDS, ASSESSMENT AND MEASUREMENT,
GOVERNANCE ADHERENCE, AND EXPERTISE AND REVIEW
PROCEDURES PROCESS INFORMATION AND ANALYSIS
MANAGEMENT
SHARING
Risk Management Vendor Risk Contract Operational Pre-Outsourcing Risk Roles and Vendor Risk Program Workflow Contract Provision
Governance Model Management Procedures Evaluation Responsibilities Integration Management Tracking and
Policy and Risk Maintenance
Categorization
Defined Program Vendor and Criteria and Vendor Risk Tiering Staffing Levels and Dashboards and Vendor Risk Scoring Monitoring Service
Objectives and Goals Data Inventory Guidelines for and Classification Competencies Scorecards Tools Level Agreements
Requirements Standard Contract and Performance
Procedures
Risk Management Due Diligence Relationship Vendor Risk Education, Training, Program Operations Vendor Financial Potential Changes to
Strategy Standards Management Assessment and Awareness and Reporting Analysis Internal and External.
Operational Environments
Processes
Board Reporting Risk Rating and Management Vendor Risk Budget and Board and Executive Vendor Business Risk Self-Assessment/
and Management Vendor Classification Oversight Assessment Metrics Resources Reporting Audit Readiness and
Oversight Reporting External Assurance
ESG and Codes of Contract Fourth and Nth-Party Ongoing Vendor Risk Qualifications and Communications Tool Automation Controls Validation
Conduct Management Management Assessments Certifications Protocols and/or Testing
Governance
Mergers and Vendor Risk Vendor Termination Process Automation Talent Management Risk or Steering Re-Assessment Continuous
Acquisitions Management or Exit Procedures Committee Structures Triggers Monitoring Program
Lifecycle
BENCHMARKING STUDIES
Shared Assessments conducts periodic industry research studies using the VRMMM Program Components. These published studies provide insights for how
TPRM programs are evolving based on changes in the external landscape. Organizations can leverage study results to compare or benchmark their programs
for peer and industry comparisons.
© 2021, 2022 The Santa Fe Strategy Center LLC, dba Shared Assessments. All Rights Reserved.
Documents created under the Shared Assessments program may be downloaded from the official Shared Assessments website at www.sharedassessments.org.
While retaining copyrights, Shared Assessments makes specific documents available to members and purchasers for the purpose of conducting self-assessments and Third
Party security assessments. Licenses for other uses are available from Shared Assessments. Individuals, and organizations should review the terms of use prior to downloading,
copying, using, or modifying Shared Assessments documents.
This notice must be included on any copy of the Shared Assessments documents, excluding Assessors’ or consultants’ reports.
The Shared Assessments program is administered by The Santa Fe Strategy Center LLC, dba Shared Assessments (www.sharedassessments.org). Questions about this material
should be directed towards support@sharedassessments.org. If you are interested in the Shared Assessments program and would like us to contact you, email us at
info@sharedassessments.org.
The Shared Assessments program has been setting the standard in third party risk P: (505) 466-6434
management since 2005. Member-driven development of program resources helps F: (505) 466-3111
organizations to effectively manage the critical components of the third party risk E: info@sharedassessments.org
management lifecycle by creating efficiencies and lowering costs for conducting rigorous
assessments of controls for cybersecurity, IT, privacy, data security, and business resiliency.
The Shared Assessments program is managed by The Santa Fe Strategy Center LLC, dba
© 2021, 2022 The Santa Fe Strategy Center LLC,
Shared Assessments (www.sharedassessments.org), a strategic advisory company based in
dba Shared Assessments.
Santa Fe, New Mexico. For more information on Shared Assessments, please visit:
All Rights Reserved.
https://www.sharedassessments.org

01 - SA - 2022 - VRMMM - User Procedure - Guide - 20210928

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01 - SA - 2022 - VRMMM - User Procedure - Guide - 20210928

Uploaded by

Copyright:

Available Formats

THIRD PARTY RISK MANAGEMENT TOOLKIT

2022 Vendor Risk Management Maturity Model

Vendor Risk Management Maturity Model (VRMMM) . . . . . . . 2

Your Organization’s Maturity Levels. . . . . . . . . . . . . . . . . . 3

Entering Values for Maturity Levels. . . . . . . . . . . . . . . . . . . 6

The VRMMM Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . 7

VRMMM Program Components . . . . . . . . . . . . . . . . . . . . . 8

Shared Assessments Third Party Risk Management Toolkit ii

THIRD PARTY RISK MANAGEMENT TOOLKIT — OVERVIEW

VENDOR RISK MANAGEMENT MATURITY MODEL (VRMMM)

Each phase of building, implementing, and

The VRMMM product provides a methodology

CURRENT MATURITY VS. class performance levels, and regularly implements

VRMMM Dashboard showing color-coded Target Maturity

When completed, the VRMMM Dashboard can show areas for

Each of the eight categories has six attributes.

The most senior individual or governing body

The VRMMM can serve as a guide or reference

See page 3 for more about VRMMM ratings.

This page shows Target Maturity as ON.

3. (Target Maturity, optional) For each

When you select Display or Hide, VRMMM

THE VRMMM DASHBOARD

O The Dashboard color-codes only if you have

O The Dashboard displays the color-code of

O Adjust any data on its Category tab.

UNDERSTANDING THE HIERARCHY OF THE VRMMM PROGRAM COMPONENTS

You might also like