Third-Party Risk Management Maturity Model

ProcessUnity’s Third-Party Risk Management Maturity Model

Your goals ultimately determine the extent of your Third-Party Risk Management investment. No matter where you are, there is always an opportunity for growth: your program is one that will mature over time, increasing in value as you gain in experience. But the key thing is to start with an honest assessment of where you are and where you’d like to go. Use the following Maturity Matrix as a check-up, or as a foundation for further inquiry among your colleagues, to help you determine where you are and where you’d like to go.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
THE ORGANIZATION
No formal team exists (typically, a part-time resource works assessments). There is no / minimal involvement from the business. There is no / minimal executive sponsorship or support. The program is not formally defined The organization does not support third-party risk activities.	A single resource or small team is dedicated to the program. The business is reluctantly involved in processes (if at all). There is minimal executive sponsorship or support. There is minimal corporate investment to support third-party risk activities.	A dedicated team works a formally defined program. The business is engaged, ensuring their third-party risk is acceptable. Full executive sponsorship exists. The program is budgeted. Subject Matter Experts assist in reviewing areas of their expertise.	A fully dedicated staff operates a formally defined program. Outsourced expertise is utilized when needed / applicable. The business actively participates in third-party risk activities. Executives promote risk reduction and compliance from third parties. Budget exists to continuously enhance the program.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
POLICY AND PROCEDURES
Policies are nonexistent (or at least undocumented).	Policies are documented. Policy reviews are informal. Communication around policies is ad hoc. Policies are loosely followed. Policies focused on onboarding activities with very little ongoing monitoring of existing third parties.	Policy and procedures are documented. Reviews and updates occur periodically. A central library of policies and procedures exists. Policies and procedures are leveraged for audits.	Policy and procedures are documented. Reviews and updates occur periodically. A central library of policies and procedures exists. Annual “read and understood” certifications are conducted with all relevant employees. Employees are trained on all relevant policies and procedures. Policies and procedures are leveraged for audits.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
PROCESSES
Processes are ad hoc. There is no consistency across organization. No central repository exists for third-party risk information / assessments. There is no issue resolution/tracking for outstanding issues. Contracts are signed prior to due diligence.	Processes are defined. Third parties are not monitored. Processes are executed inconsistently. A central location for third-party information / assessments exists. Existing third parties are assessed for risk. Issues are documented, but not tracked to resolution.	Processes are defined. Third parties are monitored periodically. External content is used to augment the program. Processes are executed consistently. A central location for third-party information / assessments exists. There is a formal third-party onboarding process. Existing third parties are assessed for risk. Some on-site control assessments are conducted on critical third parties. A formal issue management process exists.	Processes are defined with an emphasis on continuous improvement. Third parties are monitored continuously. A central location for third-party information / assessments is integrated with ERP, Procurement, and/or GRC solutions where applicable. There is a formal third-party onboarding process. Existing third parties are assessed for risk continuously. On-site control assessments occur for critical third parties. A formal issue management process exists. KPIs, KRIs and SLAs related to third parties are actively monitored.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
RISK ASSESSMENT METHODOLOGY
A standard question set does not exist. There is no standard risk assessment methodology. Reviews are limited to single categories of third-party risk. Risk assessments are qualitative (if they occur at all). Activities are focused on gathering documents/policies versus analyzing risk.	A standard set of questions is used for all third parties, regardless of risk level. There is no standard risk assessment methodology. Reviews are limited to single categories of third-party risk. Assessments are qualitative risk ratings.	Inherent risk screening questions are used for onboarding. Standard sets of questions / questionnaires are used based on the third parties’ inherent risk level. Inherent and residual risks are calculated on all third parties (new and existing). Multiple risk categories are assessed for each third party. Inherent and residual risk is analyzed quantitatively. On-site assessments are conducted on third parties.	Conditional inherent risk screening questions are used based on service, product, location, branch, etc. Standard sets of questions / questionnaires are used based on the third parties’ inherent risk level. Inherent and residual risks are calculated on all third parties (new and existing). Multiple risk categories are assessed for each third party. External content is leveraged to enhance third-party risk assessments and monitoring. Inherent and residual risk is analyzed quantitatively. On-site assessments are conducted on third parties. Ongoing risk assessments (based on SLAs and other continuous monitoring activities) can trigger additional assessments.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
THIRD PARTIES
Communication is delivered via manual email or phone. Lack of central repository can result in repetitive / duplicate information.	Communication is delivered via manual email or phone. There are sporadic instances of duplicate efforts on similar vendors. Reviews are performed at an overall level and do not take into account sub relationships under the third party (such as services, products, locations, branches, etc.).	Communications are delivered via automated email and/or a technology portal. Assessments are completed within a technology (online) portal. Reviews are conducted at various levels (service, product, location, branch, etc.)	Communications are delivered via automated email and/or a technology portal. Assessments are completed within a technology (online) portal. Issues related to third parties are actively managed via the portal. Reviews are conducted at various levels (service, product, location, branch, etc.). Third parties actively maintain their own company and/or service profiles. Third parties actively manage their own key contacts and questionnaire routing within their organization.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
SUPPORTING TECHNOLOGIES
Typically, spreadsheets and email are used.	Programs are supported with email, spreadsheets, homegrown databases and/or survey tools.	Programs are powered with a dedicated third-party risk management solution / tool.	Programs are powered with a dedicated third-party risk management solution/tool. The third-party risk system is integrated with other critical business application to share relevant third-party data (ERP, Procurement, Ticketing, GRC, Contracts, etc.).

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
REGULATORY PREPAREDNESS / STATURE
The lack of formally documented policies and procedures results in full regulatory reviews with limited positive recourse.	Policies exist, but inconsistent execution of policies results in full regulatory reviews with limited positive recourse.	Fully documented policies and procedures allow regulators to focus efforts on critical areas of review. A dedicated third-party risk management solution/tool allows the organization to easily evidence activities conducted against various third parties and showcase how they have automated portions of third-party risk management program.	Fully documented policies and procedures allow regulators to focus efforts on critical areas of review. A dedicated third-party risk management solution/tool allows the organization to easily evidence activities conducted against various third parties and showcase how they have automated portions of third-party risk management program. As a result, there is minimal regulator intervention and fewer requests. The organization is recognized by regulatory agencies as a best-practice organization.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
STANDARDS ALIGNMENT
The organization does not leverage best-practice standards or control sets within risk its methodology or assessments.	The organization may leverage best-practice standards to derive question sets for assessments.	Questionnaires align to best-practice standards and/or best-practice control sets to facilitate deeper reviews of highly critical third parties.	The organization actively aligns, reviews, and assesses risk assessment methodologies, questionnaires, and control sets to ensure they are up to date and aligned with the most-current best-practice standards.

Ready to begin your journey to a more mature Third-Party Risk Management program? Contact us today.

Request a Demo

Cookie	Type	Duration	Description
__cfduid	1	1 month	The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address d apply security settings on a per-client basis. It doesnot correspond to any user ID in the web application and does not store any personally identifiable information.
cli_user_preference	0	1 year	This cookie stores consolidated information of consent of all categories in the GDPR Cookie Consent plugin. This cookie is used to ensure the smooth functioning of the plugin with certain cache plugins.
cookielawinfo-checkbox-advertisement	0	1 year	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Advertisement'.
cookielawinfo-checkbox-analytics	0	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-functional	0	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Functional".
cookielawinfo-checkbox-marketing	0	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Marketing".
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
cookielawinfo-checkbox-preferences	0	1 year	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Preferences'.
PHPSESSID	0		This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
bcookie	0	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
bscookie	1	2 years	This cookie is a browser ID cookie set by LinkedIn share Buttons and ad tags.
cf_ob_info	0	1 minute	The CloudFlare service is mostly used for content distribution network (CDN) services.
cf_use_ob	0	1 minute	The CloudFlare service is mostly used for content distribution network (CDN) services.
lang	0		This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	0	1 day	This cookie is set by LinkedIn and used for routing.
lissc	0	1 year	Cookie used for Sign-in with Linkedin and/or for LinkedIn follow feature.

Cookie	Duration	Description
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
__stidv	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gcl_au	2 months	This cookie is used by Google Analytics to understand user interaction with the website. All information this cookie collects is aggregated and therefore anonymous.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.

Cookie	Type	Duration	Description
IDE	1	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
li_sugr	0	2 months	This cookie is a browser ID cookie set by LinkedIn when an IP address is not in a Designated Country.
u	0	2 months	LinkedIn Insight Tag, when IP address is not in a Designated Country
UserMatchHistory	0	4 weeks	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

The Undisputed Leader in Vendor Risk Management

Evaluating Third-Party Risk Management Software? Speed Up the Process with Our RFP Starter Kit

ProcessUnity’s Third-Party Risk Management Maturity Model

THE ORGANIZATION

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

POLICY AND PROCEDURES

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

PROCESSES

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

RISK ASSESSMENT METHODOLOGY

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

THIRD PARTIES

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

SUPPORTING TECHNOLOGIES

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

REGULATORY PREPAREDNESS / STATURE

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

STANDARDS ALIGNMENT

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED