Professional Documents
Culture Documents
Start Here. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Using VRMMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Doing the Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . 4
VRMMM Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Accountability Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Benchmarking Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
© 2021, 2022 The Santa Fe Strategy Center LLC dba Shared Assessments. All Rights Reserved.
VRMMM
THIRD PARTY RISK MANAGEMENT TOOLKIT
VENDOR RISK MANAGEMENT MATURITY MODEL (VRMMM)
USER PROCEDURE GUIDE
Verify:
Standardized Control Assessment (SCA) The Standardized Control Assessment (SCA) Tool is an
objective and configurable set of controls evaluation procedures for performing third party risk
assessments. The SCA provides an assessor an objective methodology for conducting the examination
of controls related to each scoped risk domain. The SCA provides a comprehensive and summary
record of assessment results needed for TPRM reporting.
Manage:
Data Governance with Target Data Tracking (TDT)
The Target Data Tracker (TDT) is a data governance tool that enables the identification, tracking, and
monitoring of the use and disclosure of personal data to third and fourth parties. The tool enhances
your process to maintain data/vendor inventories and creates a due diligence artifact that meet specific
contractual obligations for conveying data protection safeguards.
User Procedure Guide: VRMMM Shared Assessments Third Party Risk Management Toolkit GLOSSARY 1
© 2021, 2022 The Santa Fe Strategy Center LLC dba Shared Assessments. All Rights Reserved.
VRMMM
THIRD PARTY RISK MANAGEMENT TOOLKIT
VENDOR RISK MANAGEMENT MATURITY MODEL (VRMMM)
USER PROCEDURE GUIDE
User Procedure Guide: VRMMM Shared Assessments Third Party Risk Management Toolkit GLOSSARY 2
© 2021, 2022 The Santa Fe Strategy Center LLC dba Shared Assessments. All Rights Reserved.
YOUR ORGANIZATION’S Maturity Levels
If you turn on Target Maturity values, VRMMM
adds an extra column to its program categories
LEVEL MEANING
MATURITY LEVELS and to the Dashboard. The Dashboard also
0 Non-existent. The vendor risk management activity
is not performed within the organization. shows areas that are below target, near target,
VRMMM is based on industry “capability or at-or-above target by color-coding red,
maturity model” concepts. It uses a scale of Initial visioning. The organization is considering yellow, or white, respectively.
how to best structure this activity as part of an
0–5 to identify the maturity level that your
organization has achieved among the VRMMM’s
1 effort to achieve full implementation. Vendor risk
management activity is performed on an ad hoc
eight Program Categories. basis.
Determining roadmap to achieve success. There Color-coded program categories: Red for 2 or
You can see a full chart of maturity levels — with is a management-approved plan to structure the more values below target, Yellow for 1 value
detailed examples and descriptions — in the 2 activity as part of an effort to achieve full program
implementation, but the vendor risk management
below target. White for at-or-above target.
VRMMM product itself on the Maturity Level activity is performed on an ad hoc basis.
Ranking Guide tab. Identify the level based on
the description that most accurately reflects the Fully determined and established. The organization
has fully defined, approved, and established the
current state of the TPRM Program.
3 vendor risk management activity, but it is not yet
fully operational. Metrics and enforcement are not
yet fully in place.
Hint: Most users print out the Maturity Level
Ranking Guide and use it during the self- Fully implemented and operational. The vendor
assessment process. You’ll find the Guide on its 4 risk management activity is fully operational and all
compliance measures are in place.
own tab in the VRMMM product.
Continuous improvement underway. The
organization is striving towards operational
5 excellence, understands what are currently best-in-
TARGET MATURITY
The Target Maturity rating values are optional.
VRMMM provides two types of maturity Some organizations may not have established
valuation: Current Maturity and Target Maturity. a desired state for process maturity or may
establish their future state only after their initial
Current Maturity represents your assessment evaluation. During the actual self-assessment
of where your organization is on the spectrum process, you may wish to conceal identified
of VRMMM maturity levels for each statement. Target Maturity values from people who are
Current Maturity is an excellent benchmark for assessing your organization’s TPRM program to
your organization in estimating where you are in ensure accurate responses.
the process of establishing a TPRM program.
Note: You must turn on the display of Target
Target Maturity is a rating that represents the Maturity values if you want to use them.
maturity goal for your organization.
User Procedure Guide: VRMMM Shared Assessments Third Party Risk Management Toolkit GLOSSARY 3
© 2021, 2022 The Santa Fe Strategy Center LLC dba Shared Assessments. All Rights Reserved.
START HERE USING VRMMM
1. Start Excel and open the VRMMM. VRMMM operates in two stages: O Interpretation and planning: Once you have
performed the self-assessment, interpreting
2. Enable Content and Enable Editing. O Self-assessment: Provide your honest the assessment provides you with direction
assessment using the descriptions in for creating and improving your TPRM
3. Save the VRMMM to a different file name the Maturity Ranking Guide of your program. VRMMM provides you with a vetted
so that you will have a pristine VRMMM if organization’s TPRM program maturity framework and set of guideposts to build
you need to install it again. for each of the statements in the Third your policies, processes, and governance.
Party Risk Management program category
4. Work with the copy of the VRMMM that tabs — Program Governance, Policies,
you just made. Standards, Procedures, etc. To get the DOING THE ASSESSMENT
most from VRMMM, you can provide your
Do Do Not organization’s Target Maturity goal for In using VRMMM, you move through a series
Do open the VRMMM Do not run VRMMM from
each of these categories (along with any of numbered program category tabs along the
and save it to a different a shared network drive. comments). VRMMM provides an overall bottom of the product, providing a maturity
file name so that you You can store VRMMM Dashboard assessment as you progress, value for each statement on the tab. Each
have a clean and unused on a shared drive, but along with the details from each of the tabs. tab focuses on a different category of Third
master. Then use the you must copy it to a Party Risk Management and benchmarking
copy of the original. local computer to use it. You can also use the VRMMM to vet the that measures your program against a
Do enable content and Do not delete, add, maturity of a third party’s TPRM program comprehensive set of best practices.
enable editing, then rename, or move rows, to gain assurance on fourth-party risk. In
enter your company columns, or worksheets this use case, you may send the VRMMM to When completed, the VRMMM Dashboard can
name when prompted. on the VRMMM. a critical service provider to complete their provide a summary of areas for improvement
Do turn off AutoSave. Do not change the file own self-assessment. The results will provide and areas where your organization is doing well.
AutoSave can be type from .XLSM when insight into the maturity of their TPRM
annoying. saving VRMMM. program and how they are managing the
Do not attempt to risks of their subcontracted relationships
modify the underlying
programming (the You can save the VRMMM for year-over-year
macros). comparisons and use the VRMMM Executive
Do not try to split the Summary Data Tables and Reporting
product into individual Templates spreadsheet to present your
tabs. findings to management.
User Procedure Guide: VRMMM Shared Assessments Third Party Risk Management Toolkit GLOSSARY 4
© 2021, 2022 The Santa Fe Strategy Center LLC dba Shared Assessments. All Rights Reserved.
VRMMM STRUCTURE
VRMMM is organized in eight high-level
program categories, grouped into three stages
— Building Your Program, Implementing Your
Program, and Optimizing Your Program.
ACCOUNTABILITY MATRIX
The Accountability Matrix identifies and
records by resource name the people and
internal departments that can provide accurate
responses about program maturity in the
organization. The Accountability Matrix also
shows what sections of the VRMMM tool are
pertinent to those resources.
User Procedure Guide: VRMMM Shared Assessments Third Party Risk Management Toolkit GLOSSARY 5
© 2021, 2022 The Santa Fe Strategy Center LLC dba Shared Assessments. All Rights Reserved.
ENTERING VALUES FOR MATURITY LEVELS
On each tab, VRMMM presents a series of To view an attribute definition:
statements that convey the requirements or
actions an organization takes or has in place 1. On any tab on which you’re entering a
within their TPRM program. The statements maturity value, click the attribute (not the
are organized by program category and by statement). VRMMM displays the definition
attribute within that category. of the attribute.
1. Click the Dashboard tab. 1. Click the tab for the area you want to For example, even if only one statement
assess. has a Current Maturity of 3 and a Target
2. From the Target Maturity pulldown at Maturity of 5, that statement is highlighted
the top of the page, select Display Target 2. For each statement, type (or choose from in red and the overall attribute also is
Maturity or Hide Target Maturity. The the pulldown) the organization’s Current highlighted in red.
default condition is Hide Target Maturity. Maturity level on a scale from 0–5. See
“Your Organization’s Maturity Levels,” on Tip: You can use Excel’s fill-down command
page 3 for information on how to (Ctrl-D or Cmd-D) to put the same value into
determine maturity levels. multiple fields.
User Procedure Guide: VRMMM Shared Assessments Third Party Risk Management Toolkit GLOSSARY 6
© 2021, 2022 The Santa Fe Strategy Center LLC dba Shared Assessments. All Rights Reserved.
With values for both Current Maturity and Target Maturity in place,
VRMMM color-codes where you meet or exceed target (white),
are below target by 1 (yellow), or below target by 2 or more
(red). The greatest difference below Target Maturity for any one
statement determines the color-coding of the attribute.
User Procedure Guide: VRMMM Shared Assessments Third Party Risk Management Toolkit GLOSSARY 7
© 2021, 2022 The Santa Fe Strategy Center LLC dba Shared Assessments. All Rights Reserved.
VRMMM PROGRAM COMPONENTS
This chart shows the organization of the VRMMM program components within each category.
Move through the VRMMM categories from left to right — building your program, implementing your program, and optimizing your program.
Defined Program Vendor and Criteria and Vendor Risk Tiering Staffing Levels and Dashboards and Vendor Risk Scoring Monitoring Service
Objectives and Goals Data Inventory Guidelines for and Classification Competencies Scorecards Tools Level Agreements
Requirements Standard Contract and Performance
Procedures
Risk Management Due Diligence Relationship Vendor Risk Education, Training, Program Operations Vendor Financial Potential Changes to
Strategy Standards Management Assessment and Awareness and Reporting Analysis Internal and External.
Operational Environments
Processes
Board Reporting Risk Rating and Management Vendor Risk Budget and Board and Executive Vendor Business Risk Self-Assessment/
and Management Vendor Classification Oversight Assessment Metrics Resources Reporting Audit Readiness and
Oversight Reporting External Assurance
ESG and Codes of Contract Fourth and Nth-Party Ongoing Vendor Risk Qualifications and Communications Tool Automation Controls Validation
Conduct Management Management Assessments Certifications Protocols and/or Testing
Governance
Mergers and Vendor Risk Vendor Termination Process Automation Talent Management Risk or Steering Re-Assessment Continuous
Acquisitions Management or Exit Procedures Committee Structures Triggers Monitoring Program
Lifecycle
BENCHMARKING STUDIES
Shared Assessments conducts periodic industry research studies using the VRMMM Program Components. These published studies provide insights for how
TPRM programs are evolving based on changes in the external landscape. Organizations can leverage study results to compare or benchmark their programs
for peer and industry comparisons.
User Procedure Guide: VRMMM Shared Assessments Third Party Risk Management Toolkit GLOSSARY 8
© 2021, 2022 The Santa Fe Strategy Center LLC dba Shared Assessments. All Rights Reserved.
© 2021, 2022 The Santa Fe Strategy Center LLC, dba Shared Assessments. All Rights Reserved.
Documents created under the Shared Assessments program may be downloaded from the official Shared Assessments website at www.sharedassessments.org.
While retaining copyrights, Shared Assessments makes specific documents available to members and purchasers for the purpose of conducting self-assessments and Third
Party security assessments. Licenses for other uses are available from Shared Assessments. Individuals, and organizations should review the terms of use prior to downloading,
copying, using, or modifying Shared Assessments documents.
This notice must be included on any copy of the Shared Assessments documents, excluding Assessors’ or consultants’ reports.
The Shared Assessments program is administered by The Santa Fe Strategy Center LLC, dba Shared Assessments (www.sharedassessments.org). Questions about this material
should be directed towards support@sharedassessments.org. If you are interested in the Shared Assessments program and would like us to contact you, email us at
info@sharedassessments.org.
The Shared Assessments program has been setting the standard in third party risk P: (505) 466-6434
management since 2005. Member-driven development of program resources helps F: (505) 466-3111
organizations to effectively manage the critical components of the third party risk E: info@sharedassessments.org
management lifecycle by creating efficiencies and lowering costs for conducting rigorous
assessments of controls for cybersecurity, IT, privacy, data security, and business resiliency.
The Shared Assessments program is managed by The Santa Fe Strategy Center LLC, dba
© 2021, 2022 The Santa Fe Strategy Center LLC,
Shared Assessments (www.sharedassessments.org), a strategic advisory company based in
dba Shared Assessments.
Santa Fe, New Mexico. For more information on Shared Assessments, please visit:
All Rights Reserved.
https://www.sharedassessments.org