Do you have defined KPIs for TPRM (cycle time, exception rate, reassessment compliance, finding remediation)?
Demonstrate that the organization has documented, actively tracked, and reported measurable KPIs for TPRM program efficiency and effectiveness, including cycle time, exception rates, reassessment compliance, and remediation velocity.
Description
What this control does
This control requires organizations to establish and monitor quantitative Key Performance Indicators (KPIs) for their Third-Party Risk Management (TPRM) program, specifically tracking cycle time (duration from initiation to completion of assessments), exception rate (frequency of approved deviations from standard requirements), reassessment compliance (adherence to scheduled periodic reviews), and finding remediation (time to close identified vulnerabilities or gaps). These metrics enable management to identify process bottlenecks, resource constraints, and systemic compliance weaknesses in the vendor risk lifecycle. Without defined KPIs, TPRM programs operate reactively, lack accountability, and cannot demonstrate continuous improvement or board-level oversight effectiveness.
Control objective
What auditing this proves
Demonstrate that the organization has documented, actively tracked, and reported measurable KPIs for TPRM program efficiency and effectiveness, including cycle time, exception rates, reassessment compliance, and remediation velocity.
Associated risks
Risks this control addresses
- Undetected degradation of TPRM program performance allows high-risk vendors to operate without timely assessment or oversight
- Excessive exception approvals without tracking enable systematic bypassing of security standards across the vendor portfolio
- Failure to monitor reassessment compliance results in outdated risk profiles and expired security validations for critical third parties
- Prolonged remediation cycles for vendor findings leave exploitable vulnerabilities in supply chain components
- Inability to demonstrate TPRM effectiveness to regulators during examinations results in enforcement actions or consent orders
- Resource allocation decisions made without empirical data lead to chronic understaffing and perpetual backlogs in vendor reviews
- Executive leadership lacks visibility into TPRM health metrics, preventing strategic risk-based decisions about third-party relationships
Testing procedure
How an auditor verifies this control
- Request the current TPRM KPI framework documentation, including definitions, calculation methodologies, target thresholds, and reporting frequency for each metric
- Obtain the most recent 12 months of TPRM KPI reports or dashboards showing actual measurements for cycle time, exception rate, reassessment compliance, and finding remediation
- Select a sample of 10-15 third-party assessments completed within the review period and independently calculate cycle time by comparing initiation and completion timestamps against reported metrics
- Review the exception management log or system to verify that exception rates are accurately calculated and categorized by risk level, business unit, or vendor type
- Cross-reference the vendor inventory against the reassessment schedule to validate compliance percentage calculation, identifying any vendors overdue for periodic review
- Examine finding remediation tracking records for a sample of 8-10 vendor-related findings, verifying time-to-closure matches reported remediation KPIs and validating closure evidence
- Interview TPRM program leadership to confirm KPIs are reviewed in governance meetings, trigger escalation workflows when thresholds are breached, and inform process improvement initiatives
- Verify that KPI data is communicated to executive leadership or board-level committees through regular reporting mechanisms such as quarterly risk dashboards or annual program assessments