Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Developing Vendor Risk Management Program Metrics

5 min read
Featured Image

Establishing risk and performance metrics for your vendors has long been an essential best practice, and is a regulatory requirement across various industries. However, vendor risk management metrics are only part of the bigger vendor risk management picture. It's essential to measure the performance of your entire vendor risk management program.

Vendor risk management program metrics ensure that your program’s rules, tools, and processes are working as intended. Identifying specific metrics can help evaluate your program's performance, identify gaps, and encourage data-driven decisions. More importantly, reporting vendor risk program metrics to the board can assure them that your third-party vendors' risks are well-managed, and that the program adds value.

Although it can sometimes be challenging to pinpoint the right metrics, it doesn't have to be. Read on to learn more about metrics and how to identify the right ones for your vendor risk management program.

Two Types of Vendor Risk Management Program Metrics

Metrics typically fall into two categories: key performance indicators (KPIs) or key risk indicators (KRIs). It’s essential to understand the difference between the two and how they should be used. It's also necessary to determine if your KPIs and KRIs are objective or quantitative, meaning something that can be measured or counted, or subjective or qualitative, meaning something experienced or felt.

Let's examine how these metrics are different and review some examples:

Key Performance Indicators

KPIs are lagging indicators and tell us about something that has already occurred. They look back on the performance of the vendor risk management program and can help measure how the program has performed against set goals or objectives.

Examples KPI Vendor Risk Management Metrics:

  • Objective: The number of current risk assessments for high-risk and critical vendor engagements
  • Subjective: Percentage of vendor owners rating vendor risk management training 3 or fewer stars (out of 5)

Key Risk Indicators

KRIs are leading indicators and tell us about something that might happen. They are meant to be predictive and help identify where risks may develop or increase.

Examples of KRI Vendor Risk Management Metrics:

  • Objective: The number of high-risk and critical vendors with open issues that are at risk or past due
  • Subjective: Average stakeholder satisfaction score

It's crucial to understand that the metrics used in your vendor risk management program should identify and manage risks and evaluate the program's performance. It's optimal to use both KPIs and KRIs.

Note: Objective and data-driven metrics should be prioritized over subjective ones, which should only be used sparingly. There are fluctuations in opinions and challenges in normalizing subjective metric data.

developing vendor risk management program metrics

How to Identify Vendor Risk Management Program Metrics

When choosing metrics for your vendor risk management program, consider objectives like compliance, risk management, performance, or efficiency. Let's review some examples and how they might be translated into KPIs, KRIs, or both:

  1. Compliance metrics – These vendor risk management program metrics should identify regulatory and internal compliance with all policies and documented requirements. Examples include:

    • The number of compliance issues currently open – Compliance issues must be addressed immediately, whether vendor-related or internal. Failure to comply is taken very seriously by auditors and examiners.

      • KPIEffective vendor risk management programs have few, if any, compliance issues. Remediating issues quickly demonstrates that the program prioritizes compliance.
      • KRI – The more compliance issues an organization has, the more likely it is to experience dissatisfied customers, revenue loss, litigation, and regulatory penalties.
    • Policy exceptions – Limiting policy exceptions demonstrates compliance with internal and external requirements.

      • KPI – Limited policy exceptions show that your existing requirements are achievable and there's a reduced need for administrative work and approval requests.
      • KRI – If the number of exceptions increases, compliance risk rises and regulatory scrutiny intensifies.
  2. Risk metrics – These vendor risk management program metrics should demonstrate effective identification, assessment, management, and vendor risk monitoring. Examples include:

    • Number of engagements without a current risk assessment – Active vendor engagements without a current risk assessment decreases your organization's ability to identify and manage risks effectively.

      • KPI – Per the vendor risk management policy, all engagements must have a current risk assessment. Adhering to this process shows effective risk identification and management.
      • KRI – The more engagements without current risk assessments, the higher the likelihood that new and emerging risks remain unidentified and unmanaged.
    • Due diligence reviews resulting in a pass decision – Due diligence is meant to validate that your vendors have the appropriate risk management practices and controls to mitigate known risks sufficiently.

      • KPI – Effective processes, subject matter expertise, and risk avoidance are evidenced when vendors are rejected as a result of due diligence.
      • KRI – A due diligence process that results in the approval of every vendor is likely not rigorous enough and may expose the organization to unnecessary risk.
  3. Performance or operational metrics – It's essential to demonstrate that your program runs efficiently and effectively and has the right processes, tools, and people to do the job.

    • Percentage of due diligence assessments completed within the estimated timeframe – A swift decision on vendor approval or rejection is crucial for timely issue resolution and seizing opportunities.

      • KPI – Processes, tools, and people are working effectively and meeting expectations.
      • KRI – Not completing due diligence assessments within the estimated time may impact business or indicate a lack of resources.
    • The ratio of vendor risk management program full time employees (FTEs) to the number of critical and high-risk vendors – These vendors require the most vendor risk management rigor and attention.

      • KPI – A reasonable ratio of FTEs dedicated to vendor risk management in comparison to elevated risk vendors illustrates an appropriate allocation of resources for risk management.
      • KRI – Insufficient number of vendor risk management FTEs can lead to process delays, approval delays, and reduced vendor risk management effectiveness.

Additional Considerations for Vendor Risk Management Program Efforts

Before finalizing your vendor risk management program metrics, it’s important to ensure you have access to data that can be easily calculated, is repeatable, and clearly illustrates vendor risk management or operational effectiveness.

Ask yourself the following questions:

  • Does the metric help tell the right story?
  • Do I have an accessible and reliable data source to support the metric?
  • How easy is it to calculate the metric?
  • Is the metric better used as KPI (lagging measure) or a KRI (leading measure)?

Keep in mind that identifying metrics isn’t enough, it’s also essential to determine what actions will be taken when the metric isn’t within the acceptable thresholds.

In summary, developing and tracking metrics for vendor risk management is considered a best practice and is an essential aspect of effective programs. These metrics can provide valuable insights into resource allocation, risk identification, and program impact. Additionally, they offer crucial information for the board, management, and stakeholders, enabling organizations to make informed decisions to improve their vendor risk management program.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo