Vendor onboarding is the process of gathering the information and documentation needed to set up a company as an approved vendor. It's also a critical first step in vendor risk management lifecycle. While the process usually starts with procurement, it can also involve representatives from accounts payable, finance, supplier management and other departments.
This post reviews the key decisions to make when onboarding vendors, including:
One major goal of onboarding is to centralize vendor data so that it can be accessed by key internal stakeholders. The process typically starts with a manual or bulk upload into your vendor risk management solution. You should be able to import data from existing vendor management or procurement solutions via spreadsheets, API connections or other integrations. Also, be sure that your VRM solution will allow specific teams or employees to populate vendor profiles via role-based access.
You can use any criteria to categorize vendors, such as annual spend, inherent risk, service importance, sensitivity of data access. It's also important to consider the regulatory environment in which you operate. For instance, if GDPR compliance is important, then you may want to categorize vendors based on their access to your customers' personal data.
A typical vendor categorization process follows this logic:
It’s also important to understand how a supplier's delivery or performance failure could impact your business. You should therefore leverage a scoring system that accounts for supplier tiering. This could include the following criteria:
Procurement Risk Playbook: How to Win the Third-Party Game
As in many sports, third-party risk management requires a team effort. Our strategy paper, "The Procurement Risk Playbook: How to Win the Third-Party Game," lays out 5 critical plays for your team.
To understand the risk a vendor poses to your organization, you need to be able to calculate their inherent risk. Inherent risk is current risk level given the existing (or lack of) controls for a vendor.
Calculating inherent risk is important when onboarding new vendors and making profiling, tiering and categorization decisions. Having a baseline inherent risk also makes it much easier to calculate any residual risk that remains after controls are applied.
Calculating inherent risk starts with gaining visibility into a vendor’s current and historical risk posture. It's important for this to extend beyond basic profiling questions. For instance, a complete inherent risk score should include operational, legal, regulatory, financial, and reputational data inputs. It should also incorporate additional vendor information supplied by internal stakeholders through questionnaires.
Once you calculate inherent risk for a specific vendor, you should also compare it to their highest possible score. In this case, that would be their score if they applied no controls at all. You can then leverage your VRM solution to gather remediation intelligence and collaborate to achieve acceptable levels of residual risk.
Here are some final tips for ensuring a successful vendor onboarding process:
Vendor onboarding doesn’t have to be a tedious exercise. With smart planning, categorization and tiering, you'll streamline future transactions, minimize risk, and build strong vendor relationships.