SolarWinds Third-Party Breach: 7 Questions to Ask Your Vendors
Vendor onboarding is the process of gathering the information and documentation needed to set up a company as an approved vendor. It's also a critical first step in vendor risk management lifecycle. While the process usually starts with procurement, it can also involve representatives from accounts payable, finance, supplier management and other departments.
This post reviews the key decisions to make when onboarding vendors, including:
One major goal of onboarding is to centralize vendor data so that it can be accessed by key internal stakeholders. The process typically starts with a manual or bulk upload into your vendor risk management solution. You should be able to import data from existing vendor management or procurement solutions via spreadsheets, API connections or other integrations. Also, be sure that your VRM solution will allow specific teams or employees to populate vendor profiles via role-based access.
You can use any criteria to categorize vendors, such as annual spend, inherent risk, service importance, sensitivity of data access. It's also important to consider the regulatory environment in which you operate. For instance, if GDPR compliance is important, then you may want to categorize vendors based on their access to your customers' personal data.
A typical vendor categorization process follows this logic:
It’s also important to understand how a supplier's delivery or performance failure could impact your business. You should therefore leverage a scoring system that accounts for supplier tiering. This could include the following criteria:
To understand the risk a vendor poses to your organization, you need to be able to calculate their inherent risk. Inherent risk is current risk level given the existing (or lack of) controls for a vendor.
Calculating inherent risk is important when onboarding new vendors and making profiling, tiering and categorization decisions. Having a baseline inherent risk also makes it much easier to calculate any residual risk that remains after controls are applied.
Calculating inherent risk starts with gaining visibility into a vendor’s current and historical risk posture. It's important for this to extend beyond basic profiling questions. For instance, a complete inherent risk score should include operational, legal, regulatory, financial, and reputational data inputs. It should also incorporate additional vendor information supplied by internal stakeholders through questionnaires.
Once you calculate inherent risk for a specific vendor, you should also compare it to their highest possible score. In this case, that would be their score if they applied no controls at all. You can then leverage your VRM solution to gather remediation intelligence and collaborate to achieve acceptable levels of residual risk.
Here are some final tips for ensuring a successful vendor onboarding process:
Vendor onboarding doesn’t have to be a tedious exercise. With smart planning, categorization and tiering, you'll streamline future transactions, minimize risk, and build strong vendor relationships.
Learn about our proven, 5-step approach to vendor risk management in our best practices guide, or request a demonstration today.
Assess your organization's exposure with these essential questions for your vendors, suppliers and other third parties.
Vendor risk continues to be in the spotlight as 2020 comes to an end. Here’s the...
If 2020, many tried-and-true TPRM strategies suddenly became obsolete. Here’s how you can use lessons from...