measurerisk process Maturity Scoring Key
INITIAL |
REPEATABLE |
DEFINED |
MANAGED |
OPTIMIZED |
20 (.5-10) |
40 (1.5 to 2.5) |
60 (2.5 to 3.5) |
80 (3.5 to 4.5) |
100 (4.5 to 5) |
Ad Hoc, unpredictable, poorly controlled, reactive |
Basic process management and repeatable tasks |
Defined and documented processes, proactive |
Integrated, measured and controlled processes |
Continued improvement and significant automation |
There are six levels of a vendor risk management maturity model:
- Startup or no third-party risk management: new organizations beginning operations or organizations with no existing vendor risk management activities.
- Initial vision and ad hoc activity: third-party risk management activities performed on an ad hoc basis and considering how to best structure third-party risk activities.
- Approved road map and ad hoc activity: Management has approved a plan to structure activity as part of an effort to achieve full implementation.
- Defined and established: Organizations with fully defined, approved and established risk management activities where activities are not fully operationalized with metrics and enforcement lacking.
- Fully implemented and operational: Organizations where vendor risk management activities are fully operationalized with compliance measures, including reporting and independent oversight.
- Continuous improvement: Organizations striving for operational excellence with clear understanding of best-in-class performance levels and how to implement program changes to continuously improve the process.