Vendor onboarding is the process of gathering the information and documentation needed to set up a company as an approved vendor. It's also a critical first step in vendor risk management lifecycle. While the process usually starts with procurement, it can also involve representatives from accounts payable, finance, supplier management and other departments.
This post reviews the key decisions to make when onboarding vendors, including:
Having a well defined vendor onboarding workflow can help your organization formalize supplier relationships, evaluate new vendors based on quantitative risk metrics, and to conduct due diligence on the vendors business practices. Having a formalized vendor onboarding process can dramatically reduce the risk of a major disruption in your supply chain or a data breach.
Many organizations choose to use vendor risk management software to automate workflows around onboarding new suppliers. For example, TPRM software can help identify data breaches, financial risks, and questionable business relationships that potential vendors might have. Modern slavery, data breaches, and other ethical and reputation risks continue to grow year over year and pose a substantial risk to organizations with large supply chains.
One major goal of onboarding is to centralize vendor data so that it can be accessed by key internal stakeholders. The process typically starts with a manual or bulk upload into your vendor risk management solution. You should be able to import data from existing vendor management or procurement solutions via spreadsheets, API connections or other integrations. Also, be sure that your VRM solution will enable specific teams or employees to populate vendor profiles via role-based access.
You can use any criteria to categorize vendors, such as annual spend, inherent risk, service importance, sensitivity of data access. It's also important to consider the regulatory environment in which you operate. For instance, if GDPR compliance is important, then you may want to categorize vendors based on their access to your customers' personal data.
A typical vendor categorization process follows this logic:
It’s also important to understand how a supplier's delivery or performance failure could impact your business. You should therefore leverage a scoring system that accounts for supplier tiering. This could include the following criteria:
Procurement Risk Playbook: How to Win the Third-Party Game
As in many sports, third-party risk management requires a team effort. Our strategy paper, "The Procurement Risk Playbook: How to Win the Third-Party Game," lays out 5 critical plays for your team.
To understand the risk a vendor poses to your organization, you need to be able to calculate their inherent risk. Inherent risk is current risk level given the existing (or lack of) controls for a vendor.
Calculating inherent risk is important when onboarding new vendors and making profiling, tiering and categorization decisions. Having a baseline inherent risk also makes it much easier to calculate any residual risk that remains after controls are applied.
Calculating inherent risk starts with gaining visibility into a vendor’s current and historical risk posture. It's important for this to extend beyond basic profiling questions. For instance, a complete inherent risk score should include operational, legal, regulatory, financial, and reputational data inputs. It should also incorporate additional vendor information supplied by internal stakeholders through questionnaires.
Once you calculate inherent risk for a specific vendor, you should also compare it to their highest possible score. In this case, that would be their score if they applied no controls at all. You can then leverage your VRM solution to gather remediation intelligence and collaborate to achieve acceptable levels of residual risk.
In some cases you might find that the level of risk a vendor poses to your organization is unacceptable. For instance, vendor compliance may be lacking for key requirements that affect your organization, or a vendor may have poor data management practices. If the contract is large enough it may make sense to request that the vendor achieve a third-party information security accreditation such as SOC2 or ISO 27001. In other cases you may need to rethink the relationship, or ensure that the vendor only accesses non-sensitive data.
Here are some final tips for ensuring a successful vendor onboarding process:
Vendor onboarding doesn’t have to be a tedious exercise. With smart planning, categorization and tiering, you'll streamline future transactions, minimize risk, and build strong vendor relationships.