Third-Party Risk Management Maturity Model

Your goals ultimately determine the extent of your Third-Party Risk Management investment. No matter where you are, there is always an opportunity for growth: your program is one that will mature over time, increasing in value as you gain in experience. But the key thing is to start with an honest assessment of where you are and where you’d like to go. Use the following Maturity Matrix as a check-up, or as a foundation for further inquiry among your colleagues, to help you determine where you are and where you’d like to go.

 

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

The Organization

  • No formal team exists
    (typically, a part-time resource works assessments).
  • There is no / minimal involvement from the business.
  • There is no / minimal executive sponsorship or support.
  • The program is not
    formally defined
  • The organization does not support third-party risk activities.
  • A single resource or small team is dedicated to the program.
  • The business is reluctantly involved in processes (if at all).
  • There is minimal executive sponsorship or support.
  • There is minimal corporate investment to support third-party risk activities.
  • A dedicated team works a formally defined program.
  • The business is engaged, ensuring their third-party risk
    is acceptable.
  • Full executive sponsorship exists.
  • The program is budgeted.
  • Subject Matter Experts assist in reviewing areas of their expertise.
  • A fully dedicated staff operates a formally defined program.
  • Outsourced expertise is utilized when needed/applicable.
  • The business actively participates in third-party risk activities.
  • Executives promote risk reduction and compliance from third parties.
  • Budget exists to continuously enhance the program.

Policy and Procedures

  • Policies are nonexistent (or at least undocumented).
  • Policies are documented.
  • Policy reviews are informal.
  • Communication around policies is ad hoc.
  • Policies are loosely followed.
  • Policies focused on onboarding activities with very little
    ongoing monitoring of existing third parties.
  • Policy and procedures
    are documented.
  • Reviews and updates
    occur periodically.
  • A central library of policies and procedures exists.
  • Policies and procedures are leveraged for audits.
  • Policy and procedures are documented.
  • Reviews and updates occur periodically.
  • A central library of policies and procedures exists.
  • Annual “read and understood” certifications are conducted with all relevant employees.
  • Employees are trained on all relevant policies
    and procedures.
  • Policies and procedures are leveraged for audits.

Processes

  • Processes are ad hoc.
  • There is no consistency
    across organization.
  • No central repository exists
    for third-party risk
    information/assessments.
  • There is no issue resolution/tracking for outstanding issues.
  • Contracts are signed prior to
    due diligence.
  • Processes are defined.
  • Third parties are not monitored.
  • Processes are
    executed inconsistently.
  • A central location for third-party information/assessments exists.
  • Existing third parties are
    assessed for risk.
  • Issues are documented, but not tracked to resolution.
  • Processes are defined.
  • Third parties are
    monitored periodically.
  • External content is used to augment the program.
  • Processes are
    executed consistently.
  • A central location for third-party information/assessments exists.
  • There is a formal third-party onboarding process.
  • Existing third parties are assessed for risk.
  • Some on-site control
    assessments are conducted
    on critical third parties.
  • A formal issue management process exists.
  • Processes are defined with an emphasis on
    continuous improvement.
  • Third parties are monitored continuously.
  • A central location for third-party information/assessments is integrated with ERP, Procurement, and/or GRC solutions where applicable.
  • There is a formal third-party onboarding process.
  • Existing third parties are assessed for risk continuously.
  • On-site control assessments occur for critical third parties.
  • A formal issue management process exists.
  • KPIs, KRIs and SLAs related to third parties are
    actively monitored.

Risk Assessment Methodology

  • A standard question set does not exist.
  • There is no standard risk assessment methodology.
  • Reviews are limited to single categories of third-party risk.
  • Risk assessments are qualitative (if they occur at all).
  • Activities are focused on gathering documents/policies versus analyzing risk.
  • A standard set of questions is used for all third parties, regardless of risk level.
  • There is no standard risk assessment methodology.
  • Reviews are limited to single categories of third-party risk.
  • Assessments are qualitative
    risk ratings.
  • Inherent risk screening questions are used for onboarding.
  • Standard sets of questions/questionnaires are used based on the third parties’ inherent
    risk level.
  • Inherent and residual risks are calculated on all third parties
    (new and existing).
  • Multiple risk categories are assessed for each third party.
  • Inherent and residual risk is analyzed quantitatively.
  • On-site assessments are conducted on third parties.
  • Conditional inherent risk screening questions are used based on service, product, location, branch, etc.
  • Standard sets of questions/questionnaires are used based on the third parties’ inherent risk level.
  • Inherent and residual risks are calculated on all third parties (new and existing).
  • Multiple risk categories are assessed for each third party.
  • External content is leveraged to enhance third-party risk assessments and monitoring.
  • Inherent and residual risk is analyzed quantitatively.
  • On-site assessments are conducted on third parties.
  • Ongoing risk assessments (based on SLAs and
    other continuous monitoring activities) can trigger additional assessments.

Third Parties

  • Communication is delivered via manual email or phone.
  • Lack of central repository
    can result in repetitive/duplicate information.
  • Communication is delivered via manual email or phone.
  • There are sporadic instances
    of duplicate efforts on
    similar vendors.
  • Reviews are performed at an overall level and do not take
    into account sub relationships under the third party (such as services, products, locations, branches, etc.).
  • Communications are delivered via automated email and/or a technology portal.
  • Assessments are completed within a technology
    (online) portal.
  • Reviews are conducted at various levels (service, product, location, branch, etc.).
  • Communications are delivered via automated email and/or a technology portal.
  • Assessments are completed within a technology
    (online) portal.
  • Issues related to third parties are actively managed
    via the portal.
  • Reviews are conducted at various levels (service, product, location, branch, etc.).
  • Third parties actively maintain their own company and/or service profiles.
  • Third parties actively manage their own key contacts and questionnaire routing within their organization.

Supporting Technologies

  • Typically, spreadsheets and email are used.
  • Programs are supported with email, spreadsheets, homegrown databases and/or survey tools.
  • Programs are powered with a dedicated third-party risk management solution/tool.
  • Programs are powered with a dedicated third-party risk management solution/tool.
  • The third-party risk system is integrated with other critical business application to share relevant third-party data (ERP, Procurement, Ticketing, GRC, Contracts, etc.).

Regulatory Preparedness / Stature

  • The lack of formally documented policies and procedures results in full regulatory reviews with limited positive recourse.
  • Policies exist, but inconsistent execution of policies results in full regulatory reviews with limited positive recourse.
  • Fully documented policies and procedures allow regulators to focus efforts on critical areas
    of review.
  • A dedicated third-party risk management solution/tool allows the organization to easily evidence activities conducted against various third parties and showcase how they have automated portions of third-party risk management program.
  • Fully documented policies and procedures allow regulators to focus efforts on critical areas of review.
  • A dedicated third-party risk management solution/tool allows the organization to easily evidence activities conducted against various third parties and showcase how they have automated portions of third-party risk management program. As a result, there is minimal regulator intervention and fewer requests.
  • The organization is recognized by regulatory agencies as a best-practice organization.

Standards Alignment

  • The organization does not leverage best-practice standards or control sets within risk its methodology or assessments.
  • The organization may leverage best-practice standards to derive question sets for assessments.
  • Questionnaires align to best-practice standards and/or best-practice control sets to facilitate deeper reviews of highly critical third parties.
  • The organization actively aligns, reviews, and assesses risk assessment methodologies, questionnaires, and control sets to ensure they are up to date and aligned with the most-current best-practice standards.

Automate Your
Third-Party Risk Program

Take Your Program to the Next Level

Learn More