03 SA 2022 VRMMM Executive Summary ReportingTemplate 20220329

THIRD PARTY
THIRD PARTYRISK
RISK MANAGEMENT
MANAGEMENT TOOLKIT
TOOLKIT
Vendor Risk Management Maturity Model:

Sample Executive Summary Reporting Templates
THIRD PARTY
THIRD RISK
PARTY RISKMANAGEMENT
MANAGEMENT TOOLKIT
TOOLKIT
MANAGEMENT REPORTING TEMPLATES:

SUMMARIZING TPRM PROGRAM ASSESSMENT RESULTS
OVERVIEW
The Vendor Risk Management Maturity Model (VRMMM) is a TPRM Program Assessment Tool to assist organizations in developing a mature TPRM program and
benchmarking that program against a comprehensive set of best practices. The tool enables an organization to complete an assessment of the current and target
maturity of each aspect of a company’s TPRM Program. The Tool provides a self-assessment and planning tool for:
 Evaluating the key attributes and detailed criteria of a mature Third Party Risk Management (TPRM) program;
 Objectively identifying and determining an organization’s TPRM practice maturity level;
 Benchmarking the program against industry and peer results, based upon regular Shared Assessments’ TPRM Benchmark Surveys; and
 Enhancing TPRM program management reporting for the Board of Directors and C-Suite, as in Shared Assessments’ 2019 vendor risk management
benchmark study.
The VRMMM Tool can be an integral part of your TPRM risk management program. The VRMMM Tool provides a methodology to create risk metrics that can be
quantified, compared over time, and integrated with the organization’s overall enterprise risk management program. The Tool provides objective measurements
that evaluate an organization’s TPRM program practice maturity, which can be used for internal planning, executive management reporting, and building the
business case for investment in the company’s TPRM Program.
Maturity Levels: Within the VRMMM Tool, the Maturity Level Ranking worksheet provides detailed descriptions of program attributes to enable each organization
to identify the level of process maturity for each TPRM program category. Organizations select the description that most accurately represents their current
maturity level. Maturity Level descriptions are included for quick reference when using the Executive Summary Reporting Templates in management reporting.
Target Maturity Levels: An organization may structure their TPRM program based on the organization’s defined risk tolerance, on industry expectations, or on other
combinations of factors relevant for that organization’s unique risk posture. Within the VRMMM Tool, the organization can identify their desired maturity level by
selecting their Target Maturity Level. At its option, an organization may use Target Maturity levels to set goals for program improvements over a specified period of
time. Not all organizations will be utilizing Target Maturity levels, though it is an encouraged practice. An organization’s overall approach to third party risk can be
influenced by the internal and external environment so that both Current and Target Maturity levels may change over time.
Please see the VRMMM User Procedure Guide in your VRMMM Tool download file for more information on how to establish and use Target Maturity Levels.
Third Party Risk Management Toolkit: VRMMM Tool Sample Executive Summary Reporting Templates page 2 of 24
© 2021-2022. The Santa Fe Strategy Center LLC, dba Shared Assessments. All Rights Reserved.
VRMMM TOOL AND DASHBOARD REPORTING:
The VRMMM Tool contains a dashboard that summarizes the progress or status of completion of the TPRMTHIRD ProgramPARTY RISK The
Assessments. MANAGEMENT
VRMMM Tool offers a multi-
dimensional view for evaluating a TPRM Program. Assessment results can identify the overall state of maturity based
TOOLKIT at the TPRM Program Category, TPRM Program
Attribute, or based upon individual TPRM Program Detailed Criteria. Assessment results are displayed in the Tool and on the Dashboard for each for each summary
section of the program evaluation or assessment.
VRMMM Dashboard Results for the Program Governance Category
VRMMM Worksheet Results for flagged TPRM Program Governance Attributes
Sample Executive Summary Reporting Templates

The purpose of an Executive Summary is to provide a quick view at a glance. Management reporting on TPRM combines education on the overall approach to third
party assessments along with metrics demonstrating how the organization executes its TPRM program processes.
This document provides a set of Sample Executive Summary Reporting Templates that can be leveraged toTHIRD include PARTY RISK
assessment MANAGEMENT
results in TPRM management
reporting, risk metrics, and risk dashboards. The formatted data tables and charts in each sample Template TOOLKIT
are populated with mock data. These tables can be found
in the accompanying VRMMM Executive Summary Data Tables Excel spreadsheet.
You can edit these tables to include your own data in the spreadsheet and replace the charts or tables in the sample Report Templates. As data is entered into the
VRMMM tool, the tool automatically color-codes each TPRM Program Category, Attribute, and Detailed Criteria according to whether the organization meets-or-
exceeds its desired maturity level, or whether the organization is one or more levels away from meeting its identified Target Maturity. Drop downs choices in the
Reporting Templates offer a similar functionality.
Organization of the Templates:

In this document, a selection of sample Reporting Templates are provided that you may tailor and can use to supplement your risk management reporting when
crafting your own VRMMM TPRM Program Assessment Executive Summary. These templates include tables and charts that can be used to summarize or highlight
your Assessment results. Each group of tables and charts have a different focus that is designed to best meet a variety of types of management requests. Certain
tables can be customized or formatted to include organizational planned actions, risk ratings, or to summarize the scope and depth of the assessment for audit
purposes. These Reporting Templates are provided for illustrative purposes and are designed to inspire ideas for Executive Summary or Dashboard Reports that best
meet your organization requirements. The Templates are “mock-ups” using test cases or sample data and are designed to be modified by your organization.
The first set of templates in the Excel samples provide short summary tables and action planning heat maps without reference to Target Maturity:
 Sample Executive Summary Template 1 – TPRM Program Components Self-Assessment Results

This Executive Summary Template focuses on summarizing the results of an initial self-assessment by concentrating on the baseline of process maturity for
each of the TPRM Program Categories. This template provides a summary of number of TPRM Program criteria evaluated and the overall maturity level for
each component.
 Sample Executive Summary Template 2 – Risk Rating and Action Planning

This template enables sharing the results of the self-assessment, enables the organization to add a risk rating to each component based on their analysis of
results and identify key action steps. This Template can supplement an organization’s dashboards, scorecards, or third party risk reports to management.
 Sample Executive Summary Template 3 – TPRM Program Maturity Year over Year Comparisons
TPRM Programs can change over time. This template enables the organization to show progress and changes on program maturity with multiple year results.
This format may work for you if you need to provide focus on managing changes to the environment that require the organization to adapt its TPRM program
to respond to those changes.
 Sample Executive Summary Template 4 – TPRM Self-Assessment using Peer Benchmarking
This template utilizes a benchmarking option based on incorporating results from Shared Assessments’ THIRD TPRMPARTY RISK Survey
Benchmark MANAGEMENT
studies. An organization can
compare their assessment results based on the aggregated results published in the study. An organization
TOOLKIT can also utilize data from the report for peer
industries or types of organization to evaluate itself against a peer. These comparisons can help tell a story to assist in business case development for
strengthening TPRM programs.
 Sample Executive Summary Template 5 - Findings or Process Improvement Focus Based upon TPRM Program Attributes
Template 5 is configurable for the organization to identify the key attributes or criteria that demonstrated the lowest maturity levels in the evaluation process.
This enables the organization to reflect on specific actions or recommendations for process improvement. This format provides transparency in management
reporting and flexibility in sharing the results by assessment focus area. The rating tables shown here are only examples. Your findings criteria should be based
on your risk management priorities and VRMMM results.
The second set of templates includes tables and sample charts for organizations that are using Target Maturity levels. The sample templates can assist organizations
that are in the throughout its stages of building, running, and measuring a program by setting specific desired maturity levels to see current practice maturity against
Target Maturity levels.
 Sample Executive Summary Template 6 – TPRM Program Components Self-Assessment Results with Target Maturity
This template utilizes the same scoring mechanism based on the percent of correctly implemented controls as Template 1; however, this template shows the
Target Maturity and the number of Criteria included in each program category. This format provides transparency in management reporting and flexibility in
sharing the results by assessment focus area.
 Sample Executive Summary Template 7 - Risk Rating and Action Planning and TPRM Business Case Development
This template enables sharing the results of the self-assessment, enables the organization to add a risk rating to each category based on their analysis of
results and identify key action steps. This Template can supplement an organization’s dashboards, scorecards, or third party risk reports to management. The
rating tables shown here are only examples. Your findings criteria should be based on your risk management priorities and VRMMM results.
 Sample Executive Summary Template 8 - Target Maturity Findings or Process Improvement Focus Based upon TPRM Program Attributes
This set of templates provide a summary based on the lifecycle of a TPRM Program. The Template organizes sample charts for TPRM Program Categories
involved in building, running, and measuring a TPRM Program. Template 8 is configurable for the organization to identify the key attributes or criteria that
demonstrated the lowest maturity levels in the evaluation process. This enables the organization to reflect on specific actions or recommendations for process
improvement. Charts included in this template may be useful for organizations in the early stages of formalizing their approach to third party risk or for those
organization that are expanding or growing their TPRM program, especially in light of changes in the regulatory landscape. This format identifies best
practices, including continuous monitoring and focus on external assurance. This template may be useful for organizations with maturity programs to foster
ideas on how to maximize results and risk mitigation with enhanced monitoring and oversight.
VRMMM MATURITY LEVELS OVERVIEW
Within the VRMMM Tool, the Maturity Level Ranking Guide worksheet provides detailed descriptions of program attributes to enable each organization to rank by
maturity level each TPRM program category. When reporting results or incorporating results into Management Reporting, this summary description is provided as
reference material. THIRD PARTY RISK MANAGEMENT
TOOLKIT
Definitions of the VRMMM Maturity Levels
MATURITY LEVEL TPRM PROGRAM STATUS DESCRIPTION OF TPRM PROGRAM PERFORMANCE

START UP OR NO TPRM ACTIVITY New organizations beginning operations or organizations with no existing
LEVEL 0
vendor risk management activities
INITIAL VISIONING AND AD HOC ACTIVITY Organizations which perform third party risk management activities on an ad
LEVEL 1 hoc basis, but have a management approved plan to structure the activity as
part of an effort to achieve full implementation
APPROVED ROAD MAP AND AD HOC ACTIVITY Organizations which perform third party risk management activities on an ad
LEVEL 2 hoc basis, but have a management-approved plan to structure the activity as
part of an effort to achieve full implementation
DEFINED AND ESTABLISHED Organizations with fully defined, approved, and established vendor risk
LEVEL 3 management activity, where activities are not yet fully operational and where
metrics reporting, and enforcement are lacking
FULLY IMPLEMENTED AND OPERATIONAL Organizations in which vendor risk management activities are fully
LEVEL 4 operational and all compliance measures (including metrics reporting and
independent oversight) are in place
CONTINUOUS IMPROVEMENT Organizations that strive toward operational excellence, understand best-in-
LEVEL 5
class performance levels, and implement program changes
SAMPLE REPORT LANGUAGE
THIRD PARTY RISK MANAGEMENT
Sample Executive Summary Reporting Template 1 – TPRM Program Components Self-AssessmentTOOLKIT
Results
ABC Company initiated an internal review of the structure and components of its Third Party Risk Management Program. ABC Company’s vendor risk management
approach used standard criteria using the Shared Assessments Vendor Risk Management Maturity Model (VRMMM). This tool established a numerical score range
based on the self-assessment of each program component. The tiering of the level of maturity of the results of the assessment triggers actions based on ABC
Company’s enterprise risk management program.
The self-assessment was conducted from DAY/MONTH/YEAR through DAY/MONTH/YEAR and included XX participants, across XX locations. Participants included
management personnel, subject matter experts and control owners. Participants evaluated each specific attribute of the TPRM program and identified
opportunities for process improvement based on risk ratings. Table 1 summarizes the total number of requirements evaluated for each TPRM Program Category.
Table 2 reflects the assessment results demonstrating the depth and breadth of the TPRM Program Assessment showing the content breakdowns for each TPRM
component. After a review of the TPRM program and the controls in place, we found 3 TPRM Program Categories with High risk ratings, 3 Medium and 2 Low risk
ratings based on our TPRM Program evaluation for 2022.
The self-assessment of the maturity of the TPRM

ABC Company has completed this type of review each year as part of its annual risk assessment process. Chart 1
Program including the analysis and evaluation of 8 provides a visual representation of the topics included in the assessment which will be included in management
TPRM Program Categories; 48 TPRM Program reporting for the company’s enterprise risk management governing body. Action plans are being established to
Attributes, and 253 Detailed Criteria identify changes that will enable improvements in maturity of the overall execution of the TPRM program.
Standardized measurements and objective criteria
were used to evaluate each process using the
maturity level descriptions.
Table 1: Summary Table for all VRMMM Program Components
TOOLKIT
Table 2: Scope of TPRM Program Evaluation by Program Category
Chart 1: Scope of TPRM Program Evaluation by Program Category
ABC COMPANY TPRM Program Requirements Evaluated
TOOLKIT
20% 17%
16%
14% 13%
15% 13%
11%
10% 8% 8%
5%
0%
Content Percentage
1.0 Program Governance 2.0 Policies, Standards, and Procedures

3.0 Contract Development, Adherence, & Mgmt. 4.0 Vendor Risk Assessment Process
5.0 Skills and Expertise 6.0 Information Sharing
7.0 Tools, Measurements and Analysis 8.0 Monitoring and Review
Sample Executive Summary Reporting Template 2 – Risk Rating and Action Planning
opportunities for process improvement based on risk ratings. After a review of the TPRM program and the controls in place, we found 3 High risk ratings, 3
Medium and 2 Low risk ratings based on our TPRM Program evaluation for 2022. For each TPRM Program Category the participants categorized the improvements
needed based on the level of effort for corrective action measures as noted in Table 1. Based upon the current maturity levels, the investments needed in the
TPRM program based on changes in people, process, or technology are noted in Table 2. The below charts provide a visual representation of risk ratings of findings
and level of effort which will be shared with the company internal audit function and will be included in management reporting for senior leadership.
ABC Company has completed this type of review each year as part of its annual risk assessment process
Table 1: Risk Rating and Action Planning
TOOLKIT
Table 2: TPRM Business Case Development
Charts Associated with Template 2: Findings by Risk Rating and Level of Effort
ABC Company Findings by Risk Rating ABC Company Findings by Level of Effort
TOOLKIT
2
3
# of High Risk # Medium Risk # Low Risk # of High LOE # Medium LOE # Low LOE
Sample Executive Summary Template 3 – TPRM Program Maturity Year over Year Comparison
opportunities for process improvement based on risk ratings. Specific action plans were identified in the self-assessment process for areas of process
improvement. ABC Company has completed this type of review each year as part of its annual risk assessment process. Comparisons to changes in TPRM program
maturity is reflected in Table 1 from 2019-2022. Chart 1 provides a visual representation of the changes in TPRM Program maturity over time for each TPRM
Program Category. Internal and external factors influenced maturity over the four-year period. Examples of these changes included:
 Increase in M&A activity

 New Product/Service Launch
 Increase in use of Fourth-Nth Parties
 Impact of the pandemic on operational resilience
 New regulatory obligations and industry standards for third party risk
Table 3: ABC Company TPRM Program Maturity Year over Year Comparison
TOOLKIT
Chart 1: TPRM Program Maturity Over Time
ABC Company TPRM Program Maturity Year over Year Comparison

4.5
3
1.5
0
2019 2020 2021 2022
Sample Executive Summary Template 4 – TPRM Self-Assessment using Peer Benchmarking
THIRDProgram.
ABC Company initiated an internal review of the structure and components of its Third Party Risk Management PARTYABC
RISK MANAGEMENT
Company’s vendor risk management
TOOLKIT
opportunities for process improvement based on risk ratings. ABC Company has completed this type of review each year as part of its annual risk assessment
process. After completion of the TPRM Program evaluation, ABC Company compared assessment results to aggregated results provided in the Shared Assessments
Vendor Risk Benchmarking Study. Maturity assessment results by TPRM Program Category are shown in Table 1 for 3 identified Peer Comparison companies. A
visual representation of the Peer comparison is noted in Table 2, which will be included in the update for management.
Based upon the analysis of the Peer comparison and aggregated study results, ABC Company has established a future state or desired maturity level for each TPRM
Program Category. The Target Maturity will be used to identify the resources needed to address improvements to meet both desired maturity levels but to
improve performance in peer comparisons. Chart 2 provides a scorecard to be shared with the Board of Directors and its Risk Committee of these goals and
strategies to enhance the company’s approach for third party risk management.
Table 1: TPRM Self-Assessment Results using Peer Benchmarking and/or Target Maturity
2019 Benchmarking Study Result
Highlights:
 4 in 10 organizations surveyed had fully

mature VRM programs, and about a third
had ad hoc or little VRM activity.
 Overall maturity across organizations has
not increased since improvements made
did not outweigh new regulatory burdens.
 We compared maturity results from
selected XYZ industry sectors listed in the
study to provide a peer comparison.
 High level of Board Engagement correlates
to best-in-class VRM maturity.
Chart 1: TPRM Self-Assessment using Peer Benchmarking
ABC COMPANY PEER COMPARISON
TOOLKIT
4.5
4
3.5
3
2.5
2
1.5
1
0.5
0
1.0 Program 2.0 Policies, 3.0 Contract 4.0 Vendor Risk 5.0 Skills and 6.0 Information 7.0 Tools, 8.0 Monitoring
Governance Standards, and Development, Assessment Expertise Sharing Measurements and Review
Procedures Adherence, & Process and Analysis
Mgmt.
Current Maturity Peer Comp #1 Peer Comp #2 Peer Comp #3
Chart 2: Resource Heat Map
Sample Executive Summary Template 5 – Findings or Process Improvement Focus Based upon TPRM Program Attributes
THIRDProgram.
ABC Company initiated an internal review of the structure and components of its Third Party Risk Management PARTYABC
RISK MANAGEMENT
Company’s vendor risk management
TOOLKIT
Medium and 2 Low risk ratings based on our TPRM Program evaluation for 2022. ABC Company has focused its risk management based on specific findings or
process improvement areas. ABC Company recommends that a new scorecard be developed to provide ongoing monitoring for the specific TPRM Program
Attributes identified during the assessments. These focus areas will be assigned a risk owner to define and track the status of the initiatives as noted in Table 1.
Due to changes in the internal and external environment, Charts 1 & 2 show the alignment of the findings to either (1) The structure of the TPRM Program; (2) The
execution of the TPRM Program; or (3) Gaps in measuring TPRM Program performance.
Table 1: Findings or Process Improvement Focus
Chart 1 and 2: Findings or Process Improvement Focus
# of High Risk Risk TPRM Program Findings # of High LOE TPRM Findings
TOOLKIT
1
4
5
4
Building & Structuring the TPRM Program Building & Structuring the TPRM Program
Implementing & Running the TPRM Program Implementing & Running the TPRM Program
Measuring & Optimizing TPRM Program Results Measuring & Optimizing TPRM Program Results
Sample Executive Summary Template 6 – Summary Table for all VRMMM Program Components/Criteria THIRD PARTY RISKwithMANAGEMENT
Target Maturity
TOOLKIT
Medium and 2 Low risk ratings based on our TPRM Program evaluation for 2021. Table 1 provides the overall assessment results, including a summary of the total
criteria evaluated for each TPRM Program Category. Chart 1 provides a visual representation of the current maturity and the desired maturity level which will set
the foundation for process improvement initiatives.
Table 1: TPRM Program Components Self-Assessment Results with Target Maturity
Chart 1: TPRM Program Components Self-Assessment Results with Target Maturity
ABC Company TPRM Self-Assessment ResultsTOOLKIT
4
3
2
1
0
Current Maturity Target Maturity
Sample Executive Summary Template 7 – Risk Rating and Action Planning and TPRM Business Case Development
Medium and 2 Low risk ratings based on our TPRM Program evaluation for 2022.
A Level of Effort (LOE) analysis was quantified for the High and Medium risk ratings showing 2 High LOE and 4 Medium LOE areas of focus. Risk ratings have been
established and action plans have been defined for each area of focus as summarized in Table 1. ABC Company established a task force committee to develop the
business case needed for increased resources for the TPRM Program. The task force prioritized the action plans based on inputs from stakeholders in the line of
business and established key dates for deliverables. The results of the task force work effort are shown in Table 2 including specific planned actions.
Table 1: Risk Rating and Action Plans TOOLKIT
Table 2: TPRM Business Case Development Planned Actions
TOOLKIT
Sample Executive Summary Template 8 - Target Maturity Findings or Process Improvement Focus Based upon TPRM Program Attributes
Medium and no Low risk ratings based on our TPRM Program evaluation for 2022. The TPRM Program Category or phase of the TPRM lifecycle was identified for
each of the VRMMM TPRM Program attributes. Charts 1 and 2 display the TPRM Program findings and remediation LOE based on each phase of maintaining a
TPRM Program. ABC Company took the results of the 2022 TPRM program evaluation and established a TARGET Maturity for each TPRM Program Attribute.
ABC Company’s TPRM Program requires the participation from multiple lines of business, affiliates and subsidiaries, and governance committees. Due to the
different teams involved in TPRM, ABC Company established their Target Maturity Levels for each TPRM Program Attribute and created an Assessment results
scorecard for each TPRM phase. Tables 1-3 summarize the assessment results based on the TPRM phase which can be distributed to respective teams and can be
used as the starting point for developing project and action plans to address findings.
Charts 1 and 2: High Risk Findings and LOE Analysis Results
# of High Level of Effort TPRM Program Findings

# of High Risk TPRM Program Findings 4.5 4
3 2 2
2 1.5
0
4
Building & Structuring the TPRM Program

Implementing & Running the TPRM Program
Measuring & Optimizing TPRM Program Results
Table 1: TPRM PHASE - Building a TPRM Program
TOOLKIT
Table 2: TPRM PHASE - Implementing a TPRM Program
TOOLKIT
Table 3: TPRM PHASE Optimizing a TPRM Program
TOOLKIT
© 2021-2022 The Santa Fe Strategy Center LLC, dba Shared Assessments. All Rights Reserved.
Documents created under Shared Assessments may be downloaded from the official Shared Assessments website at https://www.sharedassessments.org/
TOOLKIT
While retaining copyrights, Shared Assessments makes specific documents available to members and purchasers for the purpose of conducting self-assessments and third party security assessments. Licenses
for other uses are available from Shared Assessments. Individuals and organizations should review the terms of use prior to downloading, copying, using or modifying Shared Assessment Program documents.
This notice must be included on any copy of the Shared Assessments documents, excluding Assessors or consultants’ reports.
Shared Assessments is administered by The Santa Fe Strategy Center LLC (https://www.sharedassessments.org/). Questions about this guide should be directed towards support@sharedassessments.org If
you are interested in Shared Assessments and would like us to contact you, email us at info@sharedassessments.org .

03 SA 2022 VRMMM Executive Summary ReportingTemplate 20220329

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

03 SA 2022 VRMMM Executive Summary ReportingTemplate 20220329

Uploaded by

Copyright:

Available Formats

THIRD PARTY

Vendor Risk Management Maturity Model:

MANAGEMENT REPORTING TEMPLATES:

VRMMM Dashboard Results for the Program Governance Category

VRMMM Worksheet Results for flagged TPRM Program Governance Attributes

Sample Executive Summary Reporting Templates

Organization of the Templates:

 Sample Executive Summary Template 1 – TPRM Program Components Self-Assessment Results

 Sample Executive Summary Template 2 – Risk Rating and Action Planning

VRMMM MATURITY LEVELS OVERVIEW

MATURITY LEVEL TPRM PROGRAM STATUS DESCRIPTION OF TPRM PROGRAM PERFORMANCE

The self-assessment of the maturity of the TPRM

Table 2: Scope of TPRM Program Evaluation by Program Category

1.0 Program Governance 2.0 Policies, Standards, and Procedures

Table 2: TPRM Business Case Development

 Increase in M&A activity

Chart 1: TPRM Program Maturity Over Time

ABC Company TPRM Program Maturity Year over Year Comparison

2019 2020 2021 2022

 4 in 10 organizations surveyed had fully

Current Maturity Peer Comp #1 Peer Comp #2 Peer Comp #3

Chart 2: Resource Heat Map

Table 1: Findings or Process Improvement Focus

Chart 1 and 2: Findings or Process Improvement Focus

Table 1: TPRM Program Components Self-Assessment Results with Target Maturity

Current Maturity Target Maturity

Table 2: TPRM Business Case Development Planned Actions

Charts 1 and 2: High Risk Findings and LOE Analysis Results

# of High Level of Effort TPRM Program Findings

Building & Structuring the TPRM Program

Table 3: TPRM PHASE Optimizing a TPRM Program

You might also like