Third-Party Risk Management Maturity Model

ProcessUnity’s Third-Party Risk Management Maturity Model

Your goals ultimately determine the extent of your Third-Party Risk Management investment. No matter where you are, there is always an opportunity for growth: your program is one that will mature over time, increasing in value as you gain in experience. But the key thing is to start with an honest assessment of where you are and where you’d like to go. Use the following Maturity Matrix as a check-up, or as a foundation for further inquiry among your colleagues, to help you determine where you are and where you’d like to go.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
THE ORGANIZATION
No formal team exists (typically, a part-time resource works assessments). There is no / minimal involvement from the business. There is no / minimal executive sponsorship or support. The program is not formally defined The organization does not support third-party risk activities.	A single resource or small team is dedicated to the program. The business is reluctantly involved in processes (if at all). There is minimal executive sponsorship or support. There is minimal corporate investment to support third-party risk activities.	A dedicated team works a formally defined program. The business is engaged, ensuring their third-party risk is acceptable. Full executive sponsorship exists. The program is budgeted. Subject Matter Experts assist in reviewing areas of their expertise.	A fully dedicated staff operates a formally defined program. Outsourced expertise is utilized when needed / applicable. The business actively participates in third-party risk activities. Executives promote risk reduction and compliance from third parties. Budget exists to continuously enhance the program.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
POLICY AND PROCEDURES
Policies are nonexistent (or at least undocumented).	Policies are documented. Policy reviews are informal. Communication around policies is ad hoc. Policies are loosely followed. Policies focused on onboarding activities with very little ongoing monitoring of existing third parties.	Policy and procedures are documented. Reviews and updates occur periodically. A central library of policies and procedures exists. Policies and procedures are leveraged for audits.	Policy and procedures are documented. Reviews and updates occur periodically. A central library of policies and procedures exists. Annual “read and understood” certifications are conducted with all relevant employees. Employees are trained on all relevant policies and procedures. Policies and procedures are leveraged for audits.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
PROCESSES
Processes are ad hoc. There is no consistency across organization. No central repository exists for third-party risk information / assessments. There is no issue resolution/tracking for outstanding issues. Contracts are signed prior to due diligence.	Processes are defined. Third parties are not monitored. Processes are executed inconsistently. A central location for third-party information / assessments exists. Existing third parties are assessed for risk. Issues are documented, but not tracked to resolution.	Processes are defined. Third parties are monitored periodically. External content is used to augment the program. Processes are executed consistently. A central location for third-party information / assessments exists. There is a formal third-party onboarding process. Existing third parties are assessed for risk. Some on-site control assessments are conducted on critical third parties. A formal issue management process exists.	Processes are defined with an emphasis on continuous improvement. Third parties are monitored continuously. A central location for third-party information / assessments is integrated with ERP, Procurement, and/or GRC solutions where applicable. There is a formal third-party onboarding process. Existing third parties are assessed for risk continuously. On-site control assessments occur for critical third parties. A formal issue management process exists. KPIs, KRIs and SLAs related to third parties are actively monitored.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
RISK ASSESSMENT METHODOLOGY
A standard question set does not exist. There is no standard risk assessment methodology. Reviews are limited to single categories of third-party risk. Risk assessments are qualitative (if they occur at all). Activities are focused on gathering documents/policies versus analyzing risk.	A standard set of questions is used for all third parties, regardless of risk level. There is no standard risk assessment methodology. Reviews are limited to single categories of third-party risk. Assessments are qualitative risk ratings.	Inherent risk screening questions are used for onboarding. Standard sets of questions / questionnaires are used based on the third parties’ inherent risk level. Inherent and residual risks are calculated on all third parties (new and existing). Multiple risk categories are assessed for each third party. Inherent and residual risk is analyzed quantitatively. On-site assessments are conducted on third parties.	Conditional inherent risk screening questions are used based on service, product, location, branch, etc. Standard sets of questions / questionnaires are used based on the third parties’ inherent risk level. Inherent and residual risks are calculated on all third parties (new and existing). Multiple risk categories are assessed for each third party. External content is leveraged to enhance third-party risk assessments and monitoring. Inherent and residual risk is analyzed quantitatively. On-site assessments are conducted on third parties. Ongoing risk assessments (based on SLAs and other continuous monitoring activities) can trigger additional assessments.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
THIRD PARTIES
Communication is delivered via manual email or phone. Lack of central repository can result in repetitive / duplicate information.	Communication is delivered via manual email or phone. There are sporadic instances of duplicate efforts on similar vendors. Reviews are performed at an overall level and do not take into account sub relationships under the third party (such as services, products, locations, branches, etc.).	Communications are delivered via automated email and/or a technology portal. Assessments are completed within a technology (online) portal. Reviews are conducted at various levels (service, product, location, branch, etc.)	Communications are delivered via automated email and/or a technology portal. Assessments are completed within a technology (online) portal. Issues related to third parties are actively managed via the portal. Reviews are conducted at various levels (service, product, location, branch, etc.). Third parties actively maintain their own company and/or service profiles. Third parties actively manage their own key contacts and questionnaire routing within their organization.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
SUPPORTING TECHNOLOGIES
Typically, spreadsheets and email are used.	Programs are supported with email, spreadsheets, homegrown databases and/or survey tools.	Programs are powered with a dedicated third-party risk management solution / tool.	Programs are powered with a dedicated third-party risk management solution/tool. The third-party risk system is integrated with other critical business application to share relevant third-party data (ERP, Procurement, Ticketing, GRC, Contracts, etc.).

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
REGULATORY PREPAREDNESS / STATURE
The lack of formally documented policies and procedures results in full regulatory reviews with limited positive recourse.	Policies exist, but inconsistent execution of policies results in full regulatory reviews with limited positive recourse.	Fully documented policies and procedures allow regulators to focus efforts on critical areas of review. A dedicated third-party risk management solution/tool allows the organization to easily evidence activities conducted against various third parties and showcase how they have automated portions of third-party risk management program.	Fully documented policies and procedures allow regulators to focus efforts on critical areas of review. A dedicated third-party risk management solution/tool allows the organization to easily evidence activities conducted against various third parties and showcase how they have automated portions of third-party risk management program. As a result, there is minimal regulator intervention and fewer requests. The organization is recognized by regulatory agencies as a best-practice organization.

INFORMAL	REACTIVE	PROACTIVE	OPTIMIZED
STANDARDS ALIGNMENT
The organization does not leverage best-practice standards or control sets within risk its methodology or assessments.	The organization may leverage best-practice standards to derive question sets for assessments.	Questionnaires align to best-practice standards and/or best-practice control sets to facilitate deeper reviews of highly critical third parties.	The organization actively aligns, reviews, and assesses risk assessment methodologies, questionnaires, and control sets to ensure they are up to date and aligned with the most-current best-practice standards.

Ready to begin your journey to a more mature Third-Party Risk Management program? Contact us today.

Request a Demo

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-functional	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Functional".
cookielawinfo-checkbox-marketing	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Marketing".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
PHPSESSID		This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
__tawkuuid	persistent	6 months	This cookie remembers you so that we can link chat conversations together to provide a better service. It expires within 6 months.
bcookie	0	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
bscookie	1	2 years	This cookie is a browser ID cookie set by LinkedIn share Buttons and ad tags.
cf_ob_info	0	1 minute	The CloudFlare service is mostly used for content distribution network (CDN) services.
cf_use_ob	0	1 minute	The CloudFlare service is mostly used for content distribution network (CDN) services.
lang	0		This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	0	1 day	This cookie is set by LinkedIn and used for routing.
lissc	0	1 year	Cookie used for Sign-in with Linkedin and/or for LinkedIn follow feature.
TawkConnectionTime	session		Cookie set by the live-chat support platform Tawk.to.

Cookie	Type	Duration	Description
__stid	0	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
__stidv	0	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
_gcl_au	0	2 months	This cookie is used by Google Analytics to understand user interaction with the website.
Google Analytics			This cookie is used by Google Analytics to understand user interaction with the website.

Cookie	Type	Duration	Description
_mkto_trk	0	2 years	This cookie is associated with an email marketing service provided by Marketo. This tracking cookie allows the website to link visitor behavior to the recipient of an email marketing campaign, to measure campaign effectiveness.
IDE	1	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
li_sugr	0	2 months	This cookie is a browser ID cookie set by LinkedIn when an IP address is not in a Designated Country.
u	0	2 months	LinkedIn Insight Tag, when IP address is not in a Designated Country
UserMatchHistory	0	4 weeks	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

The Undisputed Leader in Vendor Risk Management

Evaluating Third-Party Risk Management Software? Speed Up the Process with Our RFP Starter Kit

ProcessUnity’s Third-Party Risk Management Maturity Model

THE ORGANIZATION

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

POLICY AND PROCEDURES

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

PROCESSES

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

RISK ASSESSMENT METHODOLOGY

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

THIRD PARTIES

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

SUPPORTING TECHNOLOGIES

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

REGULATORY PREPAREDNESS / STATURE

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED

STANDARDS ALIGNMENT

INFORMAL

REACTIVE

PROACTIVE

OPTIMIZED