Third-Party Vendor Onboarding: 5 Best Practices and Practical Solutions
Sourcing, procurement, and third-party risk teams want to get tools into employees’ hands quickly, but onboarding new third parties, vendors, or suppliers can be a time-consuming and repetitive process – one that’s ripe for automation. However, while third parties, vendors, and suppliers help enable productivity, they can also expose businesses to unnecessary risks, especially if tools are implemented without conducting due diligence or assessments to help confirm that adequate security safeguards are in place.
And as organizations often rely on hundreds or even thousands of vendors, third-party risk management becomes a critical business initiative. Yet, those with limited resources and demanding end users are under pressure to deliver new technology while maintaining security, compliance, and privacy. To accomplish this, businesses today must work smarter to find ways to streamline manual processes that slow down the vendor onboarding process.
See OneTrust Vendorpedia in action. Watch our 5-minute demo video.
Here are 5 tips and tactics for faster and more secure vendor onboarding:
Identifying and Organize Third Parties at Scale During Vendor Onboarding
Problem: Identifying and organizing vendors during onboarding is a historically reactive and disorganized process. Oftentimes, business users are implementing applications without doing the appropriate security, privacy and compliance assessments to evaluate risk.
Solution: Vendor risk and procurement professionals can enable business users to do their jobs more effectively by leveraging:
1) Self-Service Portals: Whether it’s a simple form, or part of a more robust platform, configure a threshold assessment to enable business users to start the onboarding process on their own. This assessment can inform your vendor risk assessment level. Does the vendor require an onsite audit, or is a SOC 2 report sufficient? Use a self-service portal to help your team understand the inherent risk of the vendor, categorizing it to make a faster risk assessment decision.
2) Integrations: Automation enables you to get out of the way without hampering security or hindering productivity. By integrating with existing workflows and technologies, such procurement or contract systems, your team can develop a central, accurate inventory for vendor reviews and monitoring without relying on manual back-and-forth.
Too Much Time Spent Researching Vendors
Problem: Third-party risk and procurement teams can spend hours researching vendors during onboarding, whether it’s reviewing privacy policies, security programs, certifications, stock price and financial viability, and performance track records.
Solution: What if that information was available at the click of a button? Leverage a Global Risk Exchange that remains up-to-date and houses critical risk information about each vendor. At a vendor level this information is helpful, but drilling down to understand the risks for each product or service is when an exchange provides game-changing value.
Exchanges aggregate risk information from public and private sources, giving you a quick snapshot of the vendor’s risk posture. Additionally, some exchanges house pre-completed risk assessments using industry standard frameworks such as the CSA CAIQ, SIG Lite, and more.
Disorganized Vendor Onboarding Processes Across Stakeholders
Problem: Vendor onboarding processes are ad hoc and involve many different stakeholders, each with their own priorities.
Solution: Streamline and automate processes with consistent workflows to enable collaboration across business units and stakeholders, using:
1) Dynamic Workflows: Implement a systematic workflow that can automate tasks including reminders, escalations, and ownership. Basic onboarding workflows in practice often include automated task assignment throughout the following stages: New Vendor > Under Evaluation > In Review > Live.
2) Dynamic Assessments: Not all vendors are created equal. Many organizations send dynamic assessments to vendors that adapt based on the way the vendor answers. This helps streamline questionnaire completion for vendors that pose little risk.
3) Managed Services: Some vendors offload the assessment process altogether. Reduce time spent chasing vendors and utilize an outsourced team solely dedicated to completing vendor assessments.
Risk Treatment Lacks Consistency Across Teams and Individuals
Problem: Identifying, categorizing, and mitigating vendor-related risks across teams and individuals is a disparate and oftentimes inconsistent process.
Solution: Standardize how risk is evaluated and leverage a tool that handles the risk lifecycle from identification to mitigation throughout the vendor onboarding process.
1) Risk Categorization: Agree upon your internal risk appetite to assign vendors to categories based on the risk they propose.
2) Control Identification: Utilize assessments with built-in intelligence to identify controls or lack thereof. Many organizations rely on NIST, Shared Assessments, or Cloud Security Alliance controls in combination with their own custom controls.
3) Risk Workflows: As with the onboarding workflow, risks should have workflows of their own. Configuring workflows in advanced can make mitigation faster, more systematic, and makes auditing and reporting simpler. Basic risk lifecycles often involve the following phases: Identified > Evaluation > Treatment > Monitoring.
Lack of Automated Recordkeeping and Analytics
Problem: Disjointed spreadsheets make undergoing an audit a nightmare, as well as make vendor risk and performance reporting near impossible.
Solution: Leverage a solution that automates the recordkeeping process when conducting assessments, mitigating risks, and monitoring vendor changes. This automation is critical. When undergoing an audit, it’s the manual processes, not the automated ones, that are often most scrutinized.
Lastly, by centralizing all this information across all vendors you open the door for powerful analytics. In practice, customers use dashboards to highlight vendors by risk level; vendor assessment statuses; vendors with expiring contracts; vendors that are failing to meet SLAs; and many other key performance indicators (KPIs).
There are many challenges when it comes to onboarding vendors and managing third-party risk. In working with more than 4,000 customers, OneTrust Vendorpedia has developed a tool purpose-built to simplify and automate complex vendor management challenges such as the ones mentioned above.