The Vendor Onboarding Process: Keys to Success

Conduct Onboarding Due Diligence to Measure Inherent Risk

Once the contract is signed with a selected vendor, you will hopefully have built an initial risk profile from data gathered during the RFx and contract lifecycle management steps. Before providing them access to your systems, physical locations and/or data, you’ll want to conduct a deeper level of due diligence and determine their level of inherent risk.

Put simply, an inherent risk is one that exists prior to the application of controls. You can evaluate inherent risk through a combination of publicly available risk intelligence and internally completed risk assessment questionnaires.

Check Public-Facing Risk Data

Conduct a quick health check during vendor onboarding to flag any externally observable risks that may have been missed during the sourcing and selection process. At this stage, it’s important to consider several risk vectors, including cyber, business, financial and reputational risk. For instance:

• Does the vendor have a history of data breaches or compliance violations? If so, has the vendor disclosed remediation steps they have taken to prevent future problems?

• What is the vendor's reputation in their market? Do they pose a reputational risk to your organization due to poor environmental practices, and other ESG supply chain risks such as modern slavery and bribery?

• What is the vendor's financial posture? Do they have unacceptable levels of debt or cash flow problems that could result in a sudden inability to deliver against contract terms?

• Who are the key executives? Is there a great deal of turnover in business leadership or other reasons to be concerned about internal business operations?

For a fast and simple health check, consider subscribing to a vendor risk intelligence network, which provides access to an on-demand library of thousands of vendor risk reports that are updated and backed by supporting evidence. Or, for an even deeper, more customizable look at a vendor’s public risk profile, consider using a continuous vendor risk monitoring solution as part of your broader third-party risk management program.

Tier and Categorize Vendors with an Inherent Risk Assessment

Tiering and categorization will help you determine the scope and frequency of risk assessments and monitoring activities required for each third party throughout the course of the business relationship. Companies with a high potential risk need to be monitored more carefully and assessed more frequently than those occupying a lower tier. This is where questionnaire-based inherent risk assessments come in. Assessments enable you to gather information from vendors about their IT security controls, incident response procedures, business resilience practices, and other means of protecting your organization’s data and/or supply chain.

A vendor or supplier’s classification can be based on their level of importance to your business (e.g., annual spend), their profiled risk (e.g., access to sensitive data, concentration risk, etc.), their inherent risk (risk level prior to remediation), or a combination of these factors.

It's also important to consider the regulatory environment in which you operate. For instance, if GDPR compliance is important, then you may want to categorize vendors based on their access to your customers’ personal data.

A typical vendor categorization process follows this logic:

1. Identify the type of content required to inform controls reporting (e.g., GDPR, CCPA, etc.)
2. Determine importance to business performance: Is the vendor highly critical to operations?
3. Ascertain supplier location: Does the vendor’s location raise any legal or regulatory obligations? Is there too much concentration risk?
4. Determine if the vendor relies on fourth parties to deliver their services.

It’s also important to understand how a supplier's delivery or performance failure could impact your business. You should therefore leverage a scoring system that accounts for supplier tiering. This could include the following criteria:

• Operational or client-facing processes

• Interaction with personal data

• Financial status and implications

• Legal and regulatory obligations

• Industry reputation

Mitigate Unacceptable Risks Prior to Final Onboarding

At this stage, you should have clarity into each new vendor’s levels of profiled and inherent risk. You now need to work with them to remediate or mitigate any risks that fall outside of your organization’s risk tolerance threshold. In addition to internal third-party risk policies, your organization may have compliance or regulatory obligations to mandate, assess, and/or monitor third-party security controls.

A third-party risk management platform that offers remediation guidance plus workflow and task management capabilities can help to automate and speed the remediation process. As a result, your organization will get a fast time to value from vendor solutions, while minimizing the risk of data breaches, supply chain issues, and other business disruptions.

Of course, it is impossible to eliminate 100% of third-party risks. Any remaining risk after security controls and other remediations are applied is considered residual risk. In some cases, a vendor’s level of residual risk may be greater than your organization can tolerate. If the costs are too high to bring the vendor to an acceptable level of residual risk, or if the vendor simply refuses to implement required controls, then you may need to walk away from the contract.

Tips for Vendor Onboarding

By applying the best practices outlined above, your organization can significantly reduce third-party risk from the earliest stages of the vendor lifecycle. Here are some final, practical tips to consider when creating a risk-aware vendor onboarding process:

• Start small, scale up: Start by assessing a small number of high-priority vendors and scale as your team becomes acclimated to the process.

• Set realistic timeframes: Vendors are humans, too, so be sure to set achievable deadlines for completing questionnaires and responding to assessment surveys.

• Establish an approval process: There should be a documented approval process for onboarding new vendors. Consider including standard templates for payment terms, invoicing, and information security standards as part of the supplier onboarding process.

• Provide support resources: Create an FAQ to proactively address questions and share best practices with responders.

• Plan communication: Create a communications plan to encourage participation and progress. This may include identifying objectives, conveying the value of assessments, and providing a list of escalation contacts.

Continue to Reduce Third-Party Risk After Onboarding

It's no secret that new threats are constantly emerging and evolving, so risk management needs to continue through every stage of the vendor risk lifecycle. Here are some steps you can take to reduce risk throughout the life of the contract:

• Mandate that vendors undergo an audit to certify compliance with SOC 2, NIST CSF, or another cybersecurity framework. By meeting framework requirements, vendors may also meet mandated compliance requirements by default.

• Issue vendor risk assessments on a regular basis (e.g., annually) to identify changes in third-party security controls and/or address new compliance requirements.

• Follow third-party monitoring protocols and correlate intelligence on real-world risk events and incidents against what is reported in vendor assessments.

• Require additional routine disclosures of financial statements and other business information to get ahead of potential disruptions throughout the.

• Include information security provisions in the SLA and other contract languages to add an additional level of liability protection for your organization.

• Follow an approval process for scope changes to contracts for high-risk vendors.

Next Steps: Automate Your Vendor Onboarding Process

Vendor onboarding doesn’t have to be a tedious exercise. With smart planning and an automated onboarding solution, you can achieve a faster ROI from new vendors and suppliers, reduce your organization’s exposure to third-party risk, and build stronger business partnerships.

Learn about onboarding in our best practices guide, The Vendor Onboarding Due Diligence Guide, or request a demonstration of our solution today.