Establishing a Third-Party Vendor Onboarding Process

One of the biggest challenges in establishing a good third-party risk management (TPRM) program is getting the assessment process adopted by the organization as part of new third-party vendor onboarding. This is probably attributed to the fact that the process should truly begin with the individual lines of business or vendor owners, and not with the TPRM managers who own and promote it.

Regardless, there are tried and true methods for assuring all third-party vendors are vetted before signing a contract to make sure they’re selected with the utmost consideration for organizational security and strategic success.

The Goal of the Process

Establishing a third-party vendor vetting and onboarding process gives your organization the opportunity to make informed decisions on your vendor relationships. It’s a way to thoughtfully review all the facts, make sure the best vendor is being selected and incorporate any changes that may benefit your organization while you still have pre-contract leverage.

Establishing the Process

The best way to vet and onboard your third-party vendors is to establish a repeatable process. Begin with determining who the key players should be and establish and document their respective responsibilities in a policy/standards or procedures document. You can then communicate the process throughout your organization to assure it’s adequately adapted.

• • Process Owners: If you have people dedicated to vendor management, then they’ll likely be the managers of this process. Line of business personnel who wish to establish the relationship (i.e., vendor or product owners) will be ultimately responsible for the vendor and all the associated risks, so they should typically be the ones driving and taking ownership of the process as well.
  • Reviewers: In many cases, you’ll want to collaborate with other departments, such as information security, IT, business continuity, project management, compliance or legal and procurement. These subject matter experts (SMEs) often play a crucial role in the success of a TPRM program, especially as vendor relationships tie into processes and functions that they manage.
  • Approvers: You’ll also need to consider what levels of approval are necessary to add on a new vendor. Should all contracts be reviewed by a particular role or management level? Is approval siloed within lines of business? Does a legal review have to happen every time? These steps and approvals should be considered when establishing your process.

• • • How are prospective vendors selected and requested? Perhaps there’s an existing vendor or product list that business units can refer to when they’re starting the vendor selection process. Sometimes this is accomplished by way of a “new vendor request form”.
    • How will the process be controlled? Consider what approvals, deliverables and checkpoints are necessary to track and monitor the success of the process.
    • Who determines the scope of vendors that must be formally vetted? Decide whether every request should go through a single vetting mechanism to determine applicability. This may be something that business units can determine themselves based on internal guidelines.
    • Who must weigh into a vendor assessment and under what circumstances? You may need to include subject matter experts in areas such as information security, compliance, business continuity, finance or legal, so consider how and when they should get involved.
    • Who has the approval authority for contract execution and/or acceptable due diligence? Consider who is ultimately permitted to approve new contracts and what the prerequisites are. If there are exceptions to this process, decide if they need to be formally documented.

1. 1. 1. Establish the business need. Believe it or not, the vendor vetting process should begin with establishing a business need. In many cases, it may be prudent to refer to the existing vendor catalogue to see if a new vendor is even necessary, or if there is an existing service provider that can meet those needs.
      2. Shop around. New vendors should be thoughtfully selected. This is especially important when the prospective services are complex in nature. Sometimes, a request for proposal (RFP) can be used to compare notes on different vendors and facilitate the decision-making process.
      3. Determine inherent risk and criticality of the engagement. This is where you seek to understand and document the fundamental aspects of the relationship to understand the risk and criticality of what you’re looking for a vendor to provide. This assessment is a way to determine the level of vetting that needs to be conducted and can also tell you who internally should be part of the onboarding process, as they have stake in the proposed service.
      4. Conduct due diligence and determine residual risk. This is the process of collecting and reviewing information about the vendor to understand how they plan to handle the identified risks. It’s best to collaborate with identified stakeholders when determining residual risk, after considering the vendor’s controls.
      5. Establish contractual standards. Once the residual risks have been identified, try to incorporate any necessary added protections into the contract. Risk assessment and due diligence often offer valuable insight into how to best design service level agreements and metrics, breach notifications and business continuity requirements. If nothing else, these actions impose an obligation to clear up any existing discrepancies and allow for a continued right to audit.
      6. Decide on a vendor. You might not get to this step before knowing which vendor can best meet your needs. However, if it’s a close race between two or a few, sometimes due diligence information and contract negotiations help make that final decision.
      7. Garner appropriate approvals. There could be multiple approvals necessary for one vendor onboarding process. This can include adequate review and approval by various SMEs or approval from risk professionals that an adequate risk assessment process has been completed. Legal approval that the proposed contract adequately protects your organization may also be required, and of course, final leadership approval for onboarding and execution of the contract.
         *Pro Tip: Most leading TPRM regulators require board-level approval for new vendor engagements which will be significant or critical in nature.
      8. Document and sign. Once final approval has been granted, it’s time to execute the contract. Just remember that the contract isn’t the only valuable document to keep in your vendor database. Each significant step should be cataloged in some way, such as the initial request form, a completed risk assessment and recorded rating, the assessment actions, steps, timing and results and the approval process and associated dates. These are the documented controls of your process and should be collected and safely stored.

Once the contract is signed, third-party risk management is not over. Be sure to follow through on open items, continue to monitor the vendor relationship and keep the appropriate stakeholders in the loop, especially as they may align with any projects, implementation, access management, etc.

As we often say, the best way for YOUR organization to establish a vendor vetting and onboarding process is contingent on the structure and resources unique to your organization. But, these foundations, along with some top-down strategic guidance, are recipes for success. This is a tried-and-true process that helps your organization consolidate resources, assess, communicate and mitigate risks, collaborate with the necessary stakeholders and thoughtfully establish new relationships. For some, this process will prove to be a true strategic advantage.