Vendor Onboarding for Risk Management: 3 Critical Decisions

Vendor onboarding is the first step in the vendor risk management lifecycle. In this post, we'll examine three important decisions that can make or break this critical process.
Scott Lang
VP, Product Marketing
August 17, 2020
Blog vendor onboarding 0820

Vendor onboarding is the process of gathering the information and documentation needed to set up a company as an approved vendor. It's also a critical first step in vendor risk management lifecycle. While the process usually starts with procurement, it can also involve representatives from accounts payable, finance, supplier management and other departments.

This post reviews the key decisions to make when onboarding vendors, including:

  • What is the right mechanism for onboarding vendors?
  • What factors should you consider in making vendor tiering decisions?
  • How will you collect information to assess the inherent risks presented by a vendor?

1. Select a Method for Vendor Onboarding

One major goal of onboarding is to centralize vendor data so that it can be accessed by key internal stakeholders. The process typically starts with a manual or bulk upload into your vendor risk management solution. You should be able to import data from existing vendor management or procurement solutions via spreadsheets, API connections or other integrations. Also, be sure that your VRM solution will allow specific teams or employees to populate vendor profiles via role-based access.

2. Define Vendor Profiling and Tiering Criteria

You can use any criteria to categorize vendors, such as annual spend, inherent risk, service importance, sensitivity of data access. It's also important to consider the regulatory environment in which you operate. For instance, if GDPR compliance is important, then you may want to categorize vendors based on their access to your customers' personal data.

A typical vendor categorization process follows this logic:

  1. Identify the type of content required to inform controls reporting (e.g., GDPR, CCPA, etc.)
  2. Determine importance to business performance: Is the vendor highly critical to operations?
  3. Ascertain supplier location: Does the vendor’s location raise any legal or regulatory obligations? Is there too much concentration risk?
  4. Determine if the supplier relies on fourth parties to deliver their services.

It’s also important to understand how a supplier's delivery or performance failure could impact your business. You should therefore leverage a scoring system that accounts for supplier tiering. This could include the following criteria:

  • Operational or client-facing processes
  • Interaction with personal data
  • Financial status and implications
  • Legal and regulatory obligations
  • Industry reputation

3. Calculate Inherent Risk

To understand the risk a vendor poses to your organization, you need to be able to calculate their inherent risk. Inherent risk is current risk level given the existing (or lack of) controls for a vendor.

Calculating inherent risk is important when onboarding new vendors and making profiling, tiering and categorization decisions. Having a baseline inherent risk also makes it much easier to calculate any residual risk that remains after controls are applied.

Calculating inherent risk starts with gaining visibility into a vendor’s current and historical risk posture. It's important for this to extend beyond basic profiling questions. For instance, a complete inherent risk score should include operational, legal, regulatory, financial, and reputational data inputs. It should also incorporate additional vendor information supplied by internal stakeholders through questionnaires.

Once you calculate inherent risk for a specific vendor, you should also compare it to their highest possible score. In this case, that would be their score if they applied no controls at all. You can then leverage your VRM solution to gather remediation intelligence and collaborate to achieve acceptable levels of residual risk.

Next Steps for Vendor Onboarding

Here are some final tips for ensuring a successful vendor onboarding process:

  • Start small, scale up: Initial assessments will be a learning experience. Start by issuing onboarding surveys for a small number of vendors and scale as your team becomes acclimated to the process.
  • Set realistic timeframes: Each survey needs to be completed by a human being! Be sure to estimate how many surveys each responder can manage at once when scheduling profiling and tiering.
  • Provide support documents: Create an FAQ to proactively address questions and share best practices with responders.
  • Plan communication: Create a communications plan to encourage participation and progress. This may include identifying objectives, conveying the value of assessments, and providing a list of escalation contacts.

Vendor onboarding doesn’t have to be a tedious exercise. With smart planning, categorization and tiering, you'll streamline future transactions, minimize risk, and build strong vendor relationships.

Learn about our proven, 5-step approach to vendor risk management in our best practices guide, or request a demonstration today.

Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo