Vendor onboarding is the process of establishing a company as an approved provider of technology, goods or services to your organization. It's also an essential, early step in the vendor risk management lifecycle.
Accounting for vendor risk during onboarding can mean the difference between proactively avoiding business disruptions and constantly reacting to supply chain problems, data breaches, and other events.
In this post, we review some best practices for building a risk-aware vendor onboarding process. Also, while we focus on the term “vendor” in this post, these best practices apply equally to technology vendors and suppliers of non-IT goods and services.
A structured vendor onboarding process enables you to track and manage your third-party ecosystem in a consistent, repeatable way. It also enables you to enforce standard contract provisions and perform due diligence to flag vendors that pose third-party cyber risks, compliance problems, ESG-related issues, or other potential business risks.
Due diligence is a critical part of the onboarding process and should be conducted prior to granting third parties access to sensitive data, IT systems and/or facilities. Due diligence can include:
Many organizations choose to use vendor risk management software to automate the due diligence process and related onboarding workflows early in the risk lifecycle.
The third-party risk lifecycle starts with the vendor sourcing and selection phase, when RFPs, RFIs and other RFx processes are used to evaluate potential business partners – and then finalists are moved into the contracting step. Both RFx management and contract lifecycle management present key opportunities for identifying and reducing risk before vendors are onboarded.
For a more effective vendor onboarding program, start with risk-aware RFx management practices. For instance, RFPs and RFIs can be used to assess whether vendor candidates have the baseline security controls your organization requires to comply with regulations and/or internal policies. This is also the point where it makes sense to get an initial risk profiling snapshot to identify any known data breaches, financial problems, ESG issues, lawsuits or other adverse events signaling a potentially risky vendor candidate.
With an initial controls assessment and risk snapshot in hand, you can then generate an initial risk score for each prospective vendor based on your business priorities. If a third party is selected as a final candidate, then this risk information can be included as part of their centralized profile during the contracting stage.
Once you select a finalist, you can move the vendor’s profile into your contract lifecycle management process. A structured, automated approach to contract management enables organizations to speed the onboarding process and reduce third-party risk by:
Contract lifecycle management solutions can also help after onboarding by facilitating SLA reviews and monitoring contract terms for renewal or termination.
One major goal of onboarding solutions is to centralize vendor data so that it can be accessed by key internal stakeholders. The process typically starts with a manual or bulk upload into your vendor risk management solution. You should be able to import data from existing vendor management or procurement solutions via spreadsheets, API connections, or other integrations.
Also, remember that effective onboarding programs involve stakeholders from multiple teams, including procurement, accounts payable, finance, supplier management, and other departments. Therefore, be sure that your vendor risk management solution enables specific teams or employees to populate vendor profiles via role-based access.
Minimize Vendor Risk from the Start
Use these best practices and checklist template to build a vendor onboarding process designed to avoid third-party business disruptions.
Once the contract is signed with a selected vendor, you will hopefully have built an initial risk profile from data gathered during the RFx and contract lifecycle management steps. Before providing them access to your systems, physical locations and/or data, you’ll want to conduct a deeper level of due diligence and determine their level of inherent risk.
Put simply, an inherent risk is one that exists prior to the application of controls. You can evaluate inherent risk through a combination of publicly available risk intelligence and internally completed risk assessment questionnaires.
Conduct a quick health check during vendor onboarding to flag any externally observable risks that may have been missed during the sourcing and selection process. At this stage, it’s important to consider several risk vectors, including cyber, business, financial and reputational risk. For instance:
For a fast and simple health check, consider subscribing to a vendor risk intelligence network, which provides access to an on-demand library of thousands of vendor risk reports that are updated and backed by supporting evidence. Or, for an even deeper, more customizable look at a vendor’s public risk profile, consider using a continuous vendor risk monitoring solution as part of your broader third-party risk management program.
Tiering and categorization will help you determine the scope and frequency of risk assessments and monitoring activities required for each third party throughout the course of the business relationship. Companies with a high potential risk need to be monitored more carefully and assessed more frequently than those occupying a lower tier. This is where questionnaire-based inherent risk assessments come in. Assessments enable you to gather information from vendors about their IT security controls, incident response procedures, business resilience practices, and other means of protecting your organization’s data and/or supply chain.
A vendor or supplier’s classification can be based on their level of importance to your business (e.g., annual spend), their profiled risk (e.g., access to sensitive data, concentration risk, etc.), their inherent risk (risk level prior to remediation), or a combination of these factors.
It's also important to consider the regulatory environment in which you operate. For instance, if GDPR compliance is important, then you may want to categorize vendors based on their access to your customers’ personal data.
A typical vendor categorization process follows this logic:
It’s also important to understand how a supplier's delivery or performance failure could impact your business. You should therefore leverage a scoring system that accounts for supplier tiering. This could include the following criteria:
At this stage, you should have clarity into each new vendor’s levels of profiled and inherent risk. You now need to work with them to remediate or mitigate any risks that fall outside of your organization’s risk tolerance threshold. In addition to internal third-party risk policies, your organization may have compliance or regulatory obligations to mandate, assess, and/or monitor third-party security controls.
A third-party risk management platform that offers remediation guidance plus workflow and task management capabilities can help to automate and speed the remediation process. As a result, your organization will get a fast time to value from vendor solutions, while minimizing the risk of data breaches, supply chain issues, and other business disruptions.
Of course, it is impossible to eliminate 100% of third-party risks. Any remaining risk after security controls and other remediations are applied is considered residual risk. In some cases, a vendor’s level of residual risk may be greater than your organization can tolerate. If the costs are too high to bring the vendor to an acceptable level of residual risk, or if the vendor simply refuses to implement required controls, then you may need to walk away from the contract.
On Demand-Webinar: 5 Tips for Secure and Fast Vendor Onboarding
Nasser Fattah, former Managing Director for Information Security at Mitsubishi UFJ Financial Group, discusses 5 tips for timely and secure vendor onboarding.
By applying the best practices outlined above, your organization can significantly reduce third-party risk from the earliest stages of the vendor lifecycle. Here are some final, practical tips to consider when creating a risk-aware vendor onboarding process:
It's no secret that new threats are constantly emerging and evolving, so risk management needs to continue through every stage of the vendor risk lifecycle. Here are some steps you can take to reduce risk throughout the life of the contract:
Vendor onboarding doesn’t have to be a tedious exercise. With smart planning and an automated onboarding solution, you can achieve a faster ROI from new vendors and suppliers, reduce your organization’s exposure to third-party risk, and build stronger business partnerships.