RFP Toolkit for Third-Party Risk Management Solutions: Free Customizable Template and Scoring Sheet!

Vendor Onboarding for Risk Management: 3 Critical Decisions

Vendor onboarding is the first step in the vendor risk management lifecycle. In this post, we'll examine three important decisions that can make or break this critical process.
Scott Lang
VP, Product Marketing
August 17, 2020
Blog vendor onboarding 0820

Vendor onboarding is the process of gathering the information and documentation needed to set up a company as an approved vendor. It's also a critical first step in vendor risk management lifecycle. While the process usually starts with procurement, it can also involve representatives from accounts payable, finance, supplier management and other departments.

This post reviews the key decisions to make when onboarding vendors, including:

  • What is the right mechanism for onboarding vendors?
  • What factors should you consider in making vendor tiering decisions?
  • How will you collect information to assess the inherent risks presented by a vendor?

Why Is Having a Formal Vendor Onboarding Process Important?

Having a well defined vendor onboarding workflow can help your organization formalize supplier relationships, evaluate new vendors based on quantitative risk metrics, and to conduct due diligence on the vendors business practices. Having a formalized vendor onboarding process can dramatically reduce the risk of a major disruption in your supply chain or a data breach.

Many organizations choose to use vendor risk management software to automate workflows around onboarding new suppliers. For example, TPRM software can help identify data breaches, financial risks, and questionable business relationships that potential vendors might have. Modern slavery, data breaches, and other ethical and reputation risks continue to grow year over year and pose a substantial risk to organizations with large supply chains.

1. Select a Method for Vendor Onboarding

One major goal of onboarding is to centralize vendor data so that it can be accessed by key internal stakeholders. The process typically starts with a manual or bulk upload into your vendor risk management solution. You should be able to import data from existing vendor management or procurement solutions via spreadsheets, API connections or other integrations. Also, be sure that your VRM solution will enable specific teams or employees to populate vendor profiles via role-based access.

2. Define Vendor Profiling and Tiering Criteria

You can use any criteria to categorize vendors, such as annual spend, inherent risk, service importance, sensitivity of data access. It's also important to consider the regulatory environment in which you operate. For instance, if GDPR compliance is important, then you may want to categorize vendors based on their access to your customers' personal data.

A typical vendor categorization process follows this logic:

  1. Identify the type of content required to inform controls reporting (e.g., GDPR, CCPA, etc.)
  2. Determine importance to business performance: Is the vendor highly critical to operations?
  3. Ascertain supplier location: Does the vendor’s location raise any legal or regulatory obligations? Is there too much concentration risk?
  4. Determine if the supplier relies on fourth parties to deliver their services.

It’s also important to understand how a supplier's delivery or performance failure could impact your business. You should therefore leverage a scoring system that accounts for supplier tiering. This could include the following criteria:

  • Operational or client-facing processes
  • Interaction with personal data
  • Financial status and implications
  • Legal and regulatory obligations
  • Industry reputation

Procurement Risk Playbook: How to Win the Third-Party Game

As in many sports, third-party risk management requires a team effort. Our strategy paper, "The Procurement Risk Playbook: How to Win the Third-Party Game," lays out 5 critical plays for your team.

Read Now
Feature procurement risk playbook 0221

3. Calculate Inherent Risk

To understand the risk a vendor poses to your organization, you need to be able to calculate their inherent risk. Inherent risk is current risk level given the existing (or lack of) controls for a vendor.

Calculating inherent risk is important when onboarding new vendors and making profiling, tiering and categorization decisions. Having a baseline inherent risk also makes it much easier to calculate any residual risk that remains after controls are applied.

Calculating inherent risk starts with gaining visibility into a vendor’s current and historical risk posture. It's important for this to extend beyond basic profiling questions. For instance, a complete inherent risk score should include operational, legal, regulatory, financial, and reputational data inputs. It should also incorporate additional vendor information supplied by internal stakeholders through questionnaires.

Once you calculate inherent risk for a specific vendor, you should also compare it to their highest possible score. In this case, that would be their score if they applied no controls at all. You can then leverage your VRM solution to gather remediation intelligence and collaborate to achieve acceptable levels of residual risk.

Mitigate Unacceptable Vendor Risks

In some cases you might find that the level of risk a vendor poses to your organization is unacceptable. For instance, vendor compliance may be lacking for key requirements that affect your organization, or a vendor may have poor data management practices. If the contract is large enough it may make sense to request that the vendor achieve a third-party information security accreditation such as SOC2 or ISO 27001. In other cases you may need to rethink the relationship, or ensure that the vendor only accesses non-sensitive data.

Vendor Onboarding Best Practices

Here are some final tips for ensuring a successful vendor onboarding process:

  • Start small, scale up: Initial assessments will be a learning experience. Start by issuing onboarding surveys for a small number of vendors and scale as your team becomes acclimated to the process.
  • Set realistic timeframes: Each survey needs to be completed by a human being! Be sure to estimate how many surveys each responder can manage at once when scheduling profiling and tiering.
  • Create a Formal Approval Process: There should be a documented, formal approval process for onboarding new vendors. Consider including standard templates for payment terms, invoicing, and information security standards as part of the supplier onboarding process.
  • Provide support documents: Create an FAQ to proactively address questions and share best practices with responders.
  • Plan communication: Create a communications plan to encourage participation and progress. This may include identifying objectives, conveying the value of assessments, and providing a list of escalation contacts.

Vendor onboarding doesn’t have to be a tedious exercise. With smart planning, categorization and tiering, you'll streamline future transactions, minimize risk, and build strong vendor relationships.

Learn about our proven, 5-step approach to vendor risk management in our best practices guide, or request a demonstration today.

Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo