RFP Toolkit for Third-Party Risk Management Solutions: Free Customizable Template and Scoring Sheet!

The Vendor Onboarding Process: Keys to Success

Onboarding is an essential, early step in the vendor risk management lifecycle. In this post, we review several best practices for building a risk-aware vendor onboarding process.
By:
Scott Lang
,
VP, Product Marketing
July 25, 2022
Share:
Blog vendor onboarding 0820

What Is Vendor Onboarding?

Vendor onboarding is the process of establishing a company as an approved provider of technology, goods or services to your organization. It's also an essential, early step in the vendor risk management lifecycle.

Accounting for vendor risk during onboarding can mean the difference between proactively avoiding business disruptions and constantly reacting to supply chain problems, data breaches, and other events.

In this post, we review some best practices for building a risk-aware vendor onboarding process. Also, while we focus on the term “vendor” in this post, these best practices apply equally to technology vendors and suppliers of non-IT goods and services.

Why Is a Structured Vendor Onboarding Process Important?

A structured vendor onboarding process enables you to track and manage your third-party ecosystem in a consistent, repeatable way. It also enables you to enforce standard contract provisions and perform due diligence to flag vendors that pose third-party cyber risks, compliance problems, ESG-related issues, or other potential business risks.

Due diligence is a critical part of the onboarding process and should be conducted prior to granting third parties access to sensitive data, IT systems and/or facilities. Due diligence can include:

  • Assessing vendor security controls against industry frameworks, such as those from NIST and ISO
  • Monitoring for cyber exposures, data breaches, financial issues, legal violations, adverse media, and other public-facing risks
  • Certifying that vendors have met “flow-down” compliance requirements per GDPR, CMMC, HIPAA and other regulations

Many organizations choose to use vendor risk management software to automate the due diligence process and related onboarding workflows early in the risk lifecycle.

Start with Strong Sourcing and Selection Processes

The third-party risk lifecycle starts with the vendor sourcing and selection phase, when RFPs, RFIs and other RFx processes are used to evaluate potential business partners – and then finalists are moved into the contracting step. Both RFx management and contract lifecycle management present key opportunities for identifying and reducing risk before vendors are onboarded.

RFx Management

For a more effective vendor onboarding program, start with risk-aware RFx management practices. For instance, RFPs and RFIs can be used to assess whether vendor candidates have the baseline security controls your organization requires to comply with regulations and/or internal policies. This is also the point where it makes sense to get an initial risk profiling snapshot to identify any known data breaches, financial problems, ESG issues, lawsuits or other adverse events signaling a potentially risky vendor candidate.

With an initial controls assessment and risk snapshot in hand, you can then generate an initial risk score for each prospective vendor based on your business priorities. If a third party is selected as a final candidate, then this risk information can be included as part of their centralized profile during the contracting stage.

Contract Lifecycle Management

Once you select a finalist, you can move the vendor’s profile into your contract lifecycle management process. A structured, automated approach to contract management enables organizations to speed the onboarding process and reduce third-party risk by:

  • Reconciling edits from internal stakeholders and vendors
  • Updating redlined copies and managing version control
  • Coordinating procurement, legal, and finance teams for streamlined reviews
  • Ensuring that terms and SLAs are consistent across like vendors

Contract lifecycle management solutions can also help after onboarding by facilitating SLA reviews and monitoring contract terms for renewal or termination.

Build a Central Vendor Database for Stakeholder Collaboration

One major goal of onboarding solutions is to centralize vendor data so that it can be accessed by key internal stakeholders. The process typically starts with a manual or bulk upload into your vendor risk management solution. You should be able to import data from existing vendor management or procurement solutions via spreadsheets, API connections, or other integrations.

Also, remember that effective onboarding programs involve stakeholders from multiple teams, including procurement, accounts payable, finance, supplier management, and other departments. Therefore, be sure that your vendor risk management solution enables specific teams or employees to populate vendor profiles via role-based access.

Navigating the Vendor Risk Lifecycle: Keys to Success

This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 15+ years of experience working with hundreds of customers.

Read Now
Feature navigating vendor risk lifecycle

Conduct Onboarding Due Diligence to Measure Inherent Risk

Once the contract is signed with a selected vendor, you will hopefully have built an initial risk profile from data gathered during the RFx and contract lifecycle management steps. Before providing them access to your systems, physical locations and/or data, you’ll want to conduct a deeper level of due diligence and determine their level of inherent risk.

Put simply, an inherent risk is one that exists prior to the application of controls. You can evaluate inherent risk through a combination of publicly available risk intelligence and internally completed risk assessment questionnaires.

Check Public-Facing Risk Data

Conduct a quick health check during vendor onboarding to flag any externally observable risks that may have been missed during the sourcing and selection process. At this stage, it’s important to consider several risk vectors, including cyber, business, financial and reputational risk. For instance:

  • Does the vendor have a history of data breaches or compliance violations? If so, has the vendor disclosed remediation steps they have taken to prevent future problems?
  • What is the vendor's reputation in their market? Do they pose a reputational risk to your organization due to poor environmental practices, and other ESG supply chain risks such as modern slavery and bribery?
  • What is the vendor's financial posture? Do they have unacceptable levels of debt or cash flow problems that could result in a sudden inability to deliver against contract terms?
  • Who are the key executives? Is there a great deal of turnover in business leadership or other reasons to be concerned about internal business operations?

For a fast and simple health check, consider subscribing to a vendor risk intelligence network, which provides access to an on-demand library of thousands of vendor risk reports that are updated and backed by supporting evidence. Or, for an even deeper, more customizable look at a vendor’s public risk profile, consider using a continuous vendor risk monitoring solution as part of your broader third-party risk management program.

Tier and Categorize Vendors with an Inherent Risk Assessment

Tiering and categorization will help you determine the scope and frequency of risk assessments and monitoring activities required for each third party throughout the course of the business relationship. Companies with a high potential risk need to be monitored more carefully and assessed more frequently than those occupying a lower tier. This is where questionnaire-based inherent risk assessments come in. Assessments enable you to gather information from vendors about their IT security controls, incident response procedures, business resilience practices, and other means of protecting your organization’s data and/or supply chain.

A vendor or supplier’s classification can be based on their level of importance to your business (e.g., annual spend), their profiled risk (e.g., access to sensitive data, concentration risk, etc.), their inherent risk (risk level prior to remediation), or a combination of these factors.

It's also important to consider the regulatory environment in which you operate. For instance, if GDPR compliance is important, then you may want to categorize vendors based on their access to your customers’ personal data.

A typical vendor categorization process follows this logic:

  1. Identify the type of content required to inform controls reporting (e.g., GDPR, CCPA, etc.)
  2. Determine importance to business performance: Is the vendor highly critical to operations?
  3. Ascertain supplier location: Does the vendor’s location raise any legal or regulatory obligations? Is there too much concentration risk?
  4. Determine if the vendor relies on fourth parties to deliver their services.

It’s also important to understand how a supplier's delivery or performance failure could impact your business. You should therefore leverage a scoring system that accounts for supplier tiering. This could include the following criteria:

  • Operational or client-facing processes
  • Interaction with personal data
  • Financial status and implications
  • Legal and regulatory obligations
  • Industry reputation

Mitigate Unacceptable Risks Prior to Final Onboarding

At this stage, you should have clarity into each new vendor’s levels of profiled and inherent risk. You now need to work with them to remediate or mitigate any risks that fall outside of your organization’s risk tolerance threshold. In addition to internal third-party risk policies, your organization may have compliance or regulatory obligations to mandate, assess, and/or monitor third-party security controls.

A third-party risk management platform that offers remediation guidance plus workflow and task management capabilities can help to automate and speed the remediation process. As a result, your organization will get a fast time to value from vendor solutions, while minimizing the risk of data breaches, supply chain issues, and other business disruptions.

Of course, it is impossible to eliminate 100% of third-party risks. Any remaining risk after security controls and other remediations are applied is considered residual risk. In some cases, a vendor’s level of residual risk may be greater than your organization can tolerate. If the costs are too high to bring the vendor to an acceptable level of residual risk, or if the vendor simply refuses to implement required controls, then you may need to walk away from the contract.

On Demand-Webinar: 5 Tips for Secure and Fast Vendor Onboarding

Nasser Fattah, former Managing Director for Information Security at Mitsubishi UFJ Financial Group, discusses 5 tips for timely and secure vendor onboarding.

Tips for Vendor Onboarding

By applying the best practices outlined above, your organization can significantly reduce third-party risk from the earliest stages of the vendor lifecycle. Here are some final, practical tips to consider when creating a risk-aware vendor onboarding process:

  • Start small, scale up: Start by assessing a small number of high-priority vendors and scale as your team becomes acclimated to the process.
  • Set realistic timeframes: Vendors are humans, too, so be sure to set achievable deadlines for completing questionnaires and responding to assessment surveys.
  • Establish an approval process: There should be a documented approval process for onboarding new vendors. Consider including standard templates for payment terms, invoicing, and information security standards as part of the supplier onboarding process.
  • Provide support resources: Create an FAQ to proactively address questions and share best practices with responders.
  • Plan communication: Create a communications plan to encourage participation and progress. This may include identifying objectives, conveying the value of assessments, and providing a list of escalation contacts.

Continue to Reduce Third-Party Risk After Onboarding

It's no secret that new threats are constantly emerging and evolving, so risk management needs to continue through every stage of the vendor risk lifecycle. Here are some steps you can take to reduce risk throughout the life of the contract:

  • Mandate that vendors undergo an audit to certify compliance with SOC 2, NIST CSF, or another cybersecurity framework. By meeting framework requirements, vendors may also meet mandated compliance requirements by default.
  • Issue vendor risk assessments on a regular basis (e.g., annually) to identify changes in third-party security controls and/or address new compliance requirements.
  • Require additional routine disclosures of financial statements and other business information to get ahead of potential disruptions throughout the.
  • Include information security provisions in the SLA and other contract languages to add an additional level of liability protection for your organization.
  • Follow an approval process for scope changes to contracts for high-risk vendors.

Next Steps: Automate Your Vendor Onboarding Process

Vendor onboarding doesn’t have to be a tedious exercise. With smart planning and an automated onboarding solution, you can achieve a faster ROI from new vendors and suppliers, reduce your organization’s exposure to third-party risk, and build stronger business partnerships.

Learn about vendor risk management in our best practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, or request a demonstration of our solution today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo