How to Onboard a New Vendor

Developing the right vendor onboarding process is a crucial step in effective vendor risk management (VRM). The onboarding stage of the VRM lifecycle consists of three key phases – planning & risk assessment, due diligence, and contracting. This vendor onboarding process will set the foundation for the entire vendor relationship and ensure you’ve properly identified and assessed the risks that need to be managed. 

This blog will provide some background on the vendor onboarding process and the 8 steps to onboard a new vendor. 

What Is Vendor Onboarding? 

Vendor onboarding is the process of bringing a new vendor into your organization. This requires careful planning and consideration for a successful start to the relationship. The vendor onboarding process contains several strategic activities performed by different stakeholders. 

The vendor onboarding process should answer the following questions: 

• Why do we need this vendor’s product/service? Your organization should justify the need for a new vendor relationship to avoid any redundancies that may occur. An existing vendor in your inventory may be able to provide the product or service needed, in which case you wouldn’t need to source a new vendor.
• Is there more than one vendor that can fulfill this need? Once you’ve confirmed the need for a new vendor, consider whether there are any alternatives in the market. If this product or service is only available through one vendor, this should be identified as a single point of failure (SPOF). Determine any due diligence requirements, monitoring, or management to identify and mitigate the vendor’s risks. In general, this means reviewing the vendor’s financial health and business continuity/disaster recovery plans and tests with the highest scrutiny. Depending on the product or service, you may need to establish more frequent risk and performance monitoring.
• What’s our exit strategy for ending the vendor relationship? An exit strategy is a plan of action to take when the vendor relationship comes to an end, either because you choose not to renew the contract or terminate the contract prematurely. Deciding on an exit strategy during the vendor onboarding process can help prevent hasty and potentially risky decision-making down the line. If you’re facing unexpected circumstances like a breach of contract or vendor bankruptcy, having an exit strategy means you won’t have the added pressure of deciding how to leave the relationship at that moment.
• What types and amounts of inherent risks are present in the product/service? Identifying the types and amounts of inherent risk in your vendor relationship will bring efficiency to subsequent VRM activities like due diligence and contracting. Lower-risk vendors, such as your landscaping company or an office supply provider, won’t need to be vetted or managed to the same extent as a vendor with high cybersecurity risk that stores your customers’ sensitive data.
• Does the vendor have sufficient risk management and controls in place? Due diligence helps determine whether the vendor’s risk management practices and controls will meet your needs and mitigate known risks. Collecting and reviewing documentation like the vendor’s SOC report, financial statements, and security testing results can validate that you’re onboarding a vendor in good standing. This process must be completed before you sign the contract with your vendor and then periodically after.
• How will we mitigate the vendor’s risks? Onboarding a new vendor should involve developing an appropriate risk mitigation strategy, which may include preventative or detective controls. For example, your due diligence process reveals that your vendor has a business continuity plan but hasn’t tested it within the past 5 years. You might decide to mitigate this risk by requiring your vendor to retest the plan before signing the contract and implementing a right to audit in the contract so you can review testing results upon request.
• What provisions do we need to include in the vendor contract? The contracting phase of the vendor onboarding process will document the necessary contract provisions and communicate the expectations of both parties. Key contract provisions can help avoid any future misunderstandings or disputes about your organization’s rights and your vendor’s responsibilities.
• How will we monitor the vendor’s risk and performance? During the onboarding stage, you should identify the activities and routines to carry out during the ongoing lifecycle stage. This is the time to establish a schedule for re-assessing risks, conducting periodic due diligence, and developing a strategy for monitoring both risk and performance. These activities should be set up during the onboarding process to ensure there’s a clear plan for managing the vendor relationship.

8 Steps in the Vendor Onboarding Process

Planning & risk assessment, due diligence, and contracting are the three main activities in the vendor onboarding process. These can be broken down into the following 8 steps: 

1. Confirm key details. Your organization should articulate the need for the vendor and appoint a vendor owner to manage the relationship. Additionally, decide on the process for selecting and approving the vendor, especially if there are multiple acceptable options. This is a crucial initial step in the vendor onboarding process that can prevent delays and clarify your organization’s goals for the relationship.
2. Identify an exit strategy. Identify a plan of action for what to do if the vendor relationship comes to an end. This is typically completed during the planning phase of the vendor onboarding process. There are four common exit strategies to consider:
   • Replace the vendor with an alternate – Consider keeping the contact information of your second-choice vendor in case you want to use them as an alternate.
   • Bring the activity in-house – This may be a viable solution if your organization has the resources and skills to absorb the activity.
   • Discontinue the activity – This option must be carefully validated and tested to determine how it will impact your operations, customers, and finances.
   • Combine the three methods – Some activities may be complex enough that one component could be outsourced to a new vendor while another component is brought in-house or discontinued.
3. Conduct an inherent risk assessment. It's important to identify the inherent risks associated with the vendor relationship through a risk assessment, which should be conducted internally. This helps scope the level of due diligence required and determines the level of ongoing monitoring needed for the relationship. Inherent risks exist in every vendor's product or service and encompass common risk types such as strategic, operational, compliance, cybersecurity, financial, and reputational. After completing the risk assessment, you should assign a risk rating to the vendor, usually measured on a scale of low, moderate, or high.
4. Determine vendor criticality. All vendors should be classified as critical or non-critical to your operations. This is separate from the risk rating and instead determines the impact a vendor would have on your organization’s operations. If the answer is “yes” to any of the three following questions, that vendor would typically be considered critical:
   • Would a sudden loss of this vendor cause a disruption to our organization?
   • Would that disruption impact our customers?
   • If the time for the vendor to recover operations exceeded 24 hours, would there be a negative impact on our organization?
5. Confirm your cadence for ongoing activities. Once you confirm the vendor’s inherent risk rating and criticality, choose a cadence for risk re-assessments and periodic due diligence. These activities are recurring and should be performed after the contract is signed. Using automated alerts can remind you when to complete these activities based on this suggested cadence:
   • Critical and high risk – At least annually, or more frequently if the vendor has issues like security incidents or poor performance.
   • Moderate risk – Every 18 to 24 months, depending on the product or service.
   • Low risk – Every 3 years, or before contract renewal.
6. Collect due diligence. During the vendor onboarding process, due diligence is a critical step. This involves evaluating the credibility and standing of the vendor and determining if they have appropriate risk management practices and controls in place. It includes gathering and examining vendor information from various sources such as vendor risk questionnaires, vendor documentation, and independent research. 
   
   The extent of due diligence required should be determined by the vendor's level of risk and criticality. For high-risk or critical vendors, review documents like SOC reports and cybersecurity policies. Non-critical vendors with low risk should undergo due diligence only before contract execution and renewal with a basic review to ensure they’re a legitimate business with a good reputation. 
   
   Basic due diligence for all vendors includes:
   
   • Mutual nondisclosure agreement (MNDA) or confidentiality agreements
   • Basic information (i.e., full legal name, address, all physical locations, website URL)
   • Ownership structure and affiliated companies
   • Tax ID
   • State of incorporation
   • Articles of incorporation
   • Secretary of State check
   • Business license
   • Certificate of good standing
   • Credit report
   • OFAC/PEP checks
   • Any “doing business as” or “also/previously known as” (d/b/a, aka, pka)
   • Dun & Bradstreet (D&B) report
   • Vendor complaints research findings
   • Vendor negative news search findings
   • List of subcontractors/fourth parties
   • Picture or Google map view of facility (if required)
   • Conduct check of CFPB Complaint Database and/or Better Business Bureau rating
7. Obtain subject matter expert (SME) reviews. When onboarding a vendor, documented risk control reviews should be conducted by qualified SMEs. These reviews should consider vendor-provided information and due diligence documents, such as financial statements, security testing results, and business continuity plans. The SMEs should be experienced enough to properly interpret the information and provide qualified opinions on whether the vendor relationship can proceed safely. Documented reviews should also outline issue remediation strategies to be implemented before or after the contract is signed.
8. Negotiate and sign the vendor contract. The last step of the vendor onboarding process involves negotiating and finalizing the contract. A well-crafted contract is crucial for safeguarding your organization during the partnership. If you haven't already, take the time to consider the provisions you want to include to avoid a lengthy negotiation process, like data breach notifications and the right to audit. While it's important not to rush the contracting process, deciding on key provisions for your critical and high-risk contracts can help streamline it.

Tips For a Successful Vendor Onboarding Process

Depending on the maturity of your VRM program, your vendor onboarding process might be simple with a series of ad-hoc steps or highly developed with clear and consistent phases. Here are three tips to help develop or maintain a successful vendor onboarding process: 

• Document the process. A vendor onboarding process that’s formally documented and standardized can ensure consistency across the vendor inventory. This can prevent costly errors, such as duplicate products or services and poor contract execution. Whether you’re onboarding a new vendor for marketing, information security, or operations, the process will be consistent for each one.  
• Organize and properly store your documents. Inherent risk assessments, vendor questionnaires, due diligence documents, and contracts should all be organized in a centralized location that’s easily accessible to stakeholders. Taking the time to organize your documents during onboarding is a valuable habit that will benefit other activities in the VRM lifecycle. 
• Create efficiencies. Look for opportunities to automate tasks or create more efficiencies in your onboarding process. Consider using a VRM platform or solution that can generate risk ratings based on your criteria or automate due diligence requirements based on regulatory expectations. Efficiencies and automation can be an effective way to create a more successful onboarding process.

Your vendor onboarding process may entail additional activities, requirements, or approvals to align with your organization's policies. However, the steps outlined here should be included in your organization’s processes to establish a robust foundation for your vendor relationships. Understanding the purpose of vendor onboarding and incorporating these steps and tips into your process can pave the way for successful vendor partnerships and better outcomes for your organization.