The document provides a comprehensive template for creating annual third-party risk management (TPRM) reports intended for board reporting, including sections for vendor risk, program updates, and critical vendor issues. It outlines specific content to include in executive summaries, metrics tracking, and remediation actions, emphasizing the need to customize the template according to organizational requirements. Additionally, it contains example charts and instructions for detailing the overall status of vendor risks and actions to be taken by the board.

1. Annual Report Template
Third-Party Risk Management
Board Reporting

2. • This template is intended to help your organization create annual third-party risk management (TPRM) reporting
for the board of directors.
• We’ve outlined areas to fill in with your organization’s information and data. Once you’ve filled out the template,
delete this slide.
• This PowerPoint also contains blank charts to input your own organization’s information. Simply edit the chart
data to insert your own information and the chart will populate.
• We’ve also created a PowerPoint that contains specific examples of what data and information should be filled in
for the annual reports. You can download that presentation and reference it as you fill in this template. View the
PowerPoint with examples here.
Disclaimer: Remember to follow your organization’s formatting preferences. Every organization has unique
requirements for board reporting. Reports and their formats may differ depending on who you’re reporting
information to. Understand your organization’s specific requirements and formats for board reporting and
adapt this template to follow it.
Annual Report Template Instructions
2

3. Part I – Vendor Risk Report:
• Executive summary
• Report details:
o Fill in what’s included in the vendor
risk report section of the annual
report
Part II – TPRM Program Report:
• Executive summary
• Fill in what’s included in the TPRM
program report section of the annual
report
Annual Report Contents
3

4. Vendor Risks
Annual Board Report:
Part I

5. • Remember, it’s a summary! It shouldn’t be overly detailed but should offer sufficient information
to communicate the most significant risks.
• The executive summary should address all significant risk factors directly associated with vendor
risk.
• When approaching the executive summary, consider what you would want or need the board to
know if they don't review the rest of the report.
• Additional details can and should be provided later in the report.
Remember to delete this page when creating your own board reports.
Executive Summary Instructions
5

6. New and Emerging Risks: Summarize new and emerging risks below:
1. Insert here
2. Insert here
Risk Exposure: Briefly describe the overall
status of vendor risk exposure and
contributing factors below:
1. Insert here
2. Insert here
Significant Risk Issues or Events: Briefly describe any notable risk events, such as
cybersecurity breaches, compliance failures, business interruptions, or other risks
requiring the board’s attention, below:
1. Insert here
2. Insert here
Vendor Risk: Executive Summary
6

7. Other Vendor Issues (Non-Critical):
Describe any notable issues for non-critical vendors that would warrant the board’s
attention or provide information essential to making decisions below:
1. Issue #1
Regulatory Overview and Risks:
Summarize any regulatory risks below:
1. Insert here
2. Insert here
Critical Vendor Issues: Provide a summary of any critical vendor issues, similar to your
monthly reporting, below:
1. Issue #1
2. Issue #2
3. Issue #3
Vendor Risk: Executive Summary Continued
7

8. • The charts and data for the remainder of the report should include additional details for the information provided in
the summary and might include:
o Dashboards
o Narrative summaries
o Inventory reports
o Other information as appropriate
• At a minimum, make sure to include critical vendor details, including:
o A critical vendor inventory
o Open critical vendor issues with status and next steps
o Summaries of any critical vendor risk events
o Other relevant information, such as upcoming critical vendor contract renewals or expirations
Remember to delete this slide when creating your own board reports.
Report Details Instructions
8

9. 0 0
0 0
0 0
0 0
0
0.2
0.4
0.6
0.8
1
YYYY YYYY
Vendor Inventory
Low-Risk Vendors Moderate-Risk Vendors
Non-Critical, High-Risk Vendors Critical, High-Risk Vendors
Vendor Counts Year #1 Year #2
YoY
Increase or
Decline
Critical, High-Risk Vendors # # #
Non-Critical, High-Risk Vendors # # #
Moderate-Risk Vendors # # #
Low-Risk Vendors # # #
Totals # # #
Insert brief summary
Remediation actions:
• Describe any remediation actions
Vendor Inventory, Risk Exposure, and Risk Events
0
0.2
0.4
0.6
0.8
1
0
0.2
0.4
0.6
0.8
1
Risk #1 Risk #2 Risk #3 Risk #4 Risk #5 Risk #6
Vendor
Count
Vendor
Engagements
Vendor Risk Exposure 2024
Moderate-Risk Vendors
Non-Critical, High-Risk Vendors
Critical Vendors
Totals from Previous Reporting Period
0 0
0 0
0 0
0
0.2
0.4
0.6
0.8
1
YYYY Year End YTD Total
Vendor Risk Events
Vendor Cyber Incidents Vendor BC/DR Incidents
Vendor Compliance Incidents
Insert brief summary
Remediation actions:
• Describe any remediation actions
Insert brief summary
Remediation actions:
• Describe any remediation actions
9

10. Vendor Product or Service Critical
Risk
Rating
Vendor Owner
Existing or
New in
2024
Q1 Q2 Q3 Q4
Critical Vendor #1
What product/service does
vendor provide?
YES
First Name/Last
Name
At Risk Acceptable Acceptable Acceptable
Critical Vendor #2
What product/service does
vendor provide?
YES
First Name/Last
Name
Acceptable Acceptable Acceptable Acceptable
Critical Vendor #3
What product/service does
vendor provide?
YES
First Name/Last
Name
Acceptable Acceptable Acceptable Acceptable
Critical Vendor #4
What product/service does
vendor provide?
YES
First Name/Last
Name
Acceptable Acceptable Acceptable Acceptable
Critical Vendor #5
What product/service does
vendor provide?
YES
First Name/Last
Name
Acceptable Acceptable Acceptable Acceptable
Critical Vendor #6
What product/service does
vendor provide?
YES
First Name/Last
Name
Acceptable Acceptable Acceptable Acceptable
Critical Vendor #7
What product/service does
vendor provide?
YES
First Name/Last
Name
At Risk Acceptable Acceptable Acceptable
Critical Vendor #8
What product/service does
vendor provide?
YES
First Name/Last
Name
Did Not
Meet
Expectations
At Risk Acceptable Acceptable
Critical Vendor #9
What product/service does
vendor provide?
YES
First Name/Last
Name
Acceptable Acceptable Acceptable Acceptable
Critical Vendor #10
What product/service does
vendor provide?
YES
First Name/Last
Name
Acceptable Acceptable Acceptable Acceptable
Critical Vendor #11
What product/service does
vendor provide?
YES
First Name/Last
Name
Acceptable Acceptable Acceptable Acceptable
Critical Vendor Inventory and Performance
10

11. Vendor Product or Service Critical
Risk
Rating
Vendor
Owner
Open
Issues
Y/N
Issue Description Remediation Plan
Remediation
Status
Issue
Date
Remediation
Date
Insert
vendor
name
What product/service
does the vendor
provide?
Y/N
First
Name/Last
Name
Y/N Briefly describe issue
What remediation
plan is in place?
DD/MM DD/MM
Insert
vendor
name
What product/service
does the vendor
provide?
Y/N
First
Name/Last
Name
Y/N Briefly describe issue
What remediation
plan is in place?
DD/MM DD/MM
Insert
vendor
name
What product/service
does the vendor
provide?
Y/N
First
Name/Last
Name
Y/N Briefly describe issue
What remediation
plan is in place?
DD/MM DD/MM
Critical Vendor Issues
11

12. First Reported: MM/YYYY
Latest Update: MM/YYYY of the latest update, or new,
if this is a new risk.
Requested Actions from the Board: Include the action
you’re requesting the board take.
Briefly describe the risk and any TPRM work completed so far.
Known Impacts: Outline any known impacts from the risk.
Key Risks:
• Insert any key risks and their potential impact on your organization.
Next Steps:
• Describe next steps and TPRM activities that will be completed.
Milestones
Achieved Since Last
Board Report
Upcoming Milestones
• List any achievements
since risk was last
reported.
• MM/DD – Upcoming tasks
Insert Vendor Risk Issue #1
12

13. Insert Vendor Risk Issue #2
13
First Reported: MM/YYYY
Latest Update: MM/YYYY of the latest update, or new,
if this is a new risk.
Requested Actions from the Board: Include the action
you’re requesting the board take.
Briefly describe the risk and any TPRM work completed so far.
Known Impacts: Outline any known impacts from the risk.
Key Risks:
• Insert any key risks and their potential impact on your organization.
Next Steps:
• Describe next steps and TPRM activities that will be completed.
Milestones
Achieved Since Last
Board Report
Upcoming Milestones
• List any achievements
since risk was last
reported.
• MM/DD – Upcoming tasks

14. Insert Vendor Risk Issue #3
14
First Reported: MM/YYYY
Latest Update: MM/YYYY of the latest update, or new,
if this is a new risk.
Requested Actions from the Board: Include the action
you’re requesting the board take.
Briefly describe the risk and any TPRM work completed so far.
Known Impacts: Outline any known impacts from the risk.
Key Risks:
• Insert any key risks and their potential impact on your organization.
Next Steps:
• Describe next steps and TPRM activities that will be completed.
Milestones
Achieved Since Last
Board Report
Upcoming Milestones
• List any achievements
since risk was last
reported.
• MM/DD – Upcoming tasks

15. Describe the most significant vendor risks that the board needs to know about. If you have already covered them
in another section such as critical vendor risks, then do not include them here.
Known Impacts: Outline any known impacts from the risk.
Key Risks:
• Insert any key risks and their potential impact on your organization.
Next Steps:
• Describe next steps and TPRM activities that will be completed.
Other Vendor Issues and Risks
15

16. • New/emerging risk #1
• New/emerging risk #2
Use this section to provide an overview of new and emerging risks and any mitigation activities taking place:
New and Emerging Risks
16

17. Annual Board Report:
Part II
Third-Party Risk Management
Program Update

18. Brief introduction here
Program highlights and notable issues:
TPRM Program Update – Executive Summary
18

19. Program Risks
(Provide a short summary of program risks)
Program Risk Remediations
(Provide a summary of remediations required to address the program risks)
Requested Board Actions
(Include any specific actions or decisions requested of the board)
Summary
(Provide a summary paragraph)
TPRM Program Update – Executive Summary Continued
19

20. Brief summary of metrics here and any notable points
TPRM Process Metrics
0% 0% 0% 0% 0% 0% 0%
0% 0% 0% 0% 0% 0% 0%
0%
20%
40%
60%
80%
100%
TARGET YYYY YE Q1 Q2 Q3 Q4 YTD Avg.
Risk Assessment and Re-Assessment
Internal Risk Assessments - All Vendor Engagements
Risk Re-Assessment Completed On Time
0.0%
20.0%
40.0%
60.0%
80.0%
100.0%
YYYY YE Q1 Q2 Q3 Q4 YTD
Total
YTD Avg.
Due Diligence Completion Before Contract Execution
Risk-Based Due Diligence / Completed Vendor Risk Review -
Moderate and Above
Due Diligence Completed Prior to Contract Execution
Brief summary of metrics here and any notable points
0% 0% 0% 0% 0% 0% 0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Contracts Reviewed – Essential Terms and Conditions
Brief summary of metrics here and any notable
points
20

21. 0%
0%
0% 20% 40% 60% 80% 100%
YTD Total
YYYY YE
Timely Performance Management
Critical and High-Risk Vendors
Brief summary of metrics here and any notable
points
TPRM Process Metrics Continued
0% 0% 0% 0% 0% 0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
YYYY YE Q1 Q2 Q3 Q4 YTD Avg.
Evidence of Ongoing Risk Monitoring
Brief summary of metrics here and any notable points
Open Issues
at Risk or Past
Due
Critical and
High-Risk
Vendors With
Open Issues
On-Time Issue
Remediation
Rate
YYYY YE 0% 0% 0%
YTD Total 0% 0% 0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Open Issues and Remediation Rate
Brief summary of metrics here and any notable points
21

22. 0% 0% 0% 0% 0% 0% 0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
TARGET YYYY YE Q1 Q2 Q3 Q4 YTD Avg.
Risk Re-Assessment Completed On Time
Brief summary of metrics here and any notable points
TPRM Operational Metrics
0 0 0 0 0 0 0.00
0
0
0
0
0
1
1
1
1
1
1
TARGET YYYY YE Q1 Q2 Q3 Q4 YTD Avg.
Business Days to Complete Due Diligence
Brief summary of metrics here and any notable points
0 0
0 0
0 0
0
0.2
0.4
0.6
0.8
1
Year #1 Year #2
TPRM Staffing Needs and Ratios
Staff Count Ratio Need
Brief summary of metrics here and any notable points
22

23. 0% 0%
0%
0% 0% 0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
YYYY YE Q1 Q2 Q3 Q4 YTD Total
Non-Approved Process Exemptions
Brief summary of metrics here and any notable points
TPRM Program Compliance Metrics
0% 0% 0% 0% 0% 0% 0%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
TARGET YTD
Total
YYYY YE Q1 Q2 Q3 Q4
Vendor Owners Trained
Brief summary of metrics here and any notable points
0 0 0 0 0 0
0 0 0 0 0 0
0% 0% 0% 0% 0% 0%
0
0
0
1
1
1
YYYY YE Q1 Q2 Q3 Q4 YTD Total
Audit and Exam Issues
Timely Remediation
Open Audit Issues
Open Regulatory Exam Issues/Findings
Audit/Exam Issues Timely Remediation
Brief summary of metrics here and any notable points
23

24. As of YYYY, the TPRM program is in the (insert stage).
TPRM Program Maturity
24

25. Program Component Score
Risk Management Activities 0%
Governance 0%
People 0%
Tools and Technology 0%
TPRM Program Components Score
25
Ad Hoc
0-19%
Developing
20-39%
Implemented 40-69%
Managed
70-89%
Optimizing
90-100%

26. Program Component Process Process Score
Risk Management
Activities
Insert process Insert percentage
Insert process Insert percentage
Insert process Insert percentage
Insert process Insert percentage
Insert process Insert percentage
Insert process Insert percentage
Insert process Insert percentage
Insert process Insert percentage
Governance Policy Insert percentage
Insert policy process Insert percentage
Insert policy process Insert percentage
Insert policy process Insert percentage
Insert policy process Insert percentage
Insert policy process Insert percentage
Program Component Process Process Score
Governance (cont.) Insert policy process Insert percentage
Insert policy process Insert percentage
Insert policy process Insert percentage
People Roles and Responsibilities Insert percentage
Insert process Insert percentage
Insert process Insert percentage
Insert process Insert percentage
Tools and Technology Insert tools process Insert percentage
Insert tools process Insert percentage
Insert tools process Insert percentage
Insert tools process Insert percentage
Insert tools process Insert percentage
Insert tools process Insert percentage
Insert tools process Insert percentage
Insert tools process Insert percentage
Ad Hoc
0-19%
Developing
20-39%
Implemented 40-69%
Managed
70-89%
Optimizing
90-100%
TPRM Program Components Score By Component and Process
26

27. Risk Management
Processes
• Insert process
plan and color
for stage
• Insert process
plan and color
for stage
• Insert process
plan and color
for stage
• Insert process
plan and color
for stage
• Insert process
plan and color
for stage
Governance • Insert process
plan and color
for stage
• Insert process
plan and color
for stage
• Insert process
plan and color
for stage
• Insert process
plan and color
for stage
People • Insert process
plan and color
for stage
• Insert process
plan and color
for stage
• Insert process
plan and color
for stage
• Insert
process plan
and color
for stage
Tools and
Technology
• Insert process
plan and color
for stage
• Insert process
plan and color
for stage
• Insert process
plan and color
for stage
• Insert process
plan and color
for stage
• Insert
process plan
and color for
stage
Q# YY Q# YY Q# YY Q# YY Q# YY Q# YY
Ad Hoc
0-19%
Developing
20-39%
Implemented 40-69%
Managed
70-89%
Optimizing
90-100%
TPRM YYYY Roadmap
27