According to the CRISC Review Manual1, vendor risk mitigation action items are the specific tasks and activities that are assigned to the vendors or the organization to address the identified risks and implementthe risk responses. The percentage of vendor risk mitigation action items completed on time is the best key performance indicator (KPI) to measure the effectiveness of a vendor risk management program, as it helps to evaluate the timeliness and quality of the vendor performance, the alignment of the vendor activities with the organization’s risk appetite and objectives, and the achievement of the expected outcomes and benefits of the risk responses. The percentage of vendor risk mitigation action items completed on time also helps to identify andresolve any issues or gaps in the vendor risk management process, and to improve the vendor relationship and communication. References = CRISC Review Manual1, page 230.