How an Industry Leading Quick Service Restaurant Brand Speeds up Third-Party Risk Management with OneTrust VendorpediaDOWNLOAD PDF
How an Industry Leading Quick Service Restaurant Brand Speeds up Third-Party Risk Management with OneTrust Vendorpedia
Brewing Up the Need for Third-Party Risk Management Technology
Speed is the essence of this industry leading quick service restaurant (QSR) brand, and in order to deliver for customers in the quickest, but most effective way possible, the company relies on third party vendors, suppliers and business partners to support operations.
In line with any organization that works with third parties, it opens a company up to risk. If a third party is handling data like personally identifiable information (PII) or payment card information (PCI), it’s imperative that we assess and continually monitor the security and privacy posture of this business partner to ensure they are respecting the sensitivity of our information.
With more than 500 vendors on the corporate side of the organization, the QSR brand’s enterprise risk management team faced challenges in ensuring the correct internal stakeholders are not only involved in the initial vendor assessment and onboarding process, but also throughout annual reassessments and offboarding. To better understand where their third-party risk gaps are, the team interviewed internal business units to see how they manage their vendor relationships.
“We found that each business unit was using a different version of a vendor management tracking mechanism like an Excel spreadsheet,” said an IT Risk and Compliance Analyst at the company. “The manual aspect of using a spreadsheet combined with the time-consuming nature of vendor risk assessments was ultimately pulling our employees away from their immediate priorities.”
After interviewing the privacy and information security teams, the enterprise risk management team recognized the need for a flexible technology solution with added automation to account for various regulations, standards, and frameworks.
Our Privacy Team mentioned they use OneTrust Privacy Management Software for Data Mapping and Assessment Automation and that while these solutions can support third-party risk management, the company also has dedicated third-party risk platform. After demoing the platform and realizing we would be able to link across multiple different OneTrust modules for a variety of privacy, security and trust operations, we realized OneTrust VendorpediaTM was the perfect fit.
Third-Party Risk Management Fueled by Vendorpedia
By implementing the OneTrust Vendorpedia third-party risk management platform, this QSR brand streamlined what once was a relatively decentralized assessment and due diligence process.
Time is of the essence in business, and by using Vendorpedia we are focusing our efforts on the most critical pieces and higher risk areas while still completing all the necessary due diligence and risk mitigation steps to confidently demonstrate regulatory compliance.
The company created a customized vendor validation assessment for business stakeholders with Vendorpedia, gathering a complete and up-to-date inventory of all the vendors the business currently and previously used. This assessment is automatically sent to all business owners in the company via Vendorpedia to gather key data points – whether that’s PII or PCI that a vendor holds. Then the enterprise risk management team works to risk rank each vendor from tier one to tier four based on regulatory and compliance requirements.
Once their existing vendors have been appropriately risk ranked, the QSR brand leverages the SIG for critical and high-risk vendors and the SIG Lite for low-to medium-risk vendors – both of which are preloaded in the Vendorpedia platform and distributed via assessment automation.
“We like that Vendorpedia can track our vendors in one place and source information from each vendor on a periodic basis,” said the Manager of Risk Management.
The QSR brand is currently using a customer relationship management (CRM) solution for their vendor contracts; however, it’s only being leveraged as a repository. Because of this, the enterprise risk management team has to manually research vendor contracts on a regular cadence for due-diligence purposes. The company is currently looking to change this operation.
One of the nice features we want to potentially work on building out in Vendorpedia is this contracts piece. If our company decides to continue using our existing platform for contracts, we will look to integrate Vendorpedia and the CRM solution so that all pertinent contract information flows through to our vendor records within the platform. Once contract information is in Vendorpedia, we’ll know exactly who the vendor contact and internal stakeholder is while also receiving an automatic annual reassessment reminders that lets us know we need to follow up on the vendor’s contract because it’s expiring or due for renewal.
The QSR brand also wants to add business owners to vendor risk management approval chains based on use case. For example, if a vendor supports the information technology department, the company wants to make sure that department is still actively engaged throughout the onboarding and assessment process. This added transparency is key as business owners can provide value by giving insight into the vendor relationship, as well as be an advocate throughout the assessment process. Ultimately, the business owner is invested in seeing the swift assessment and onboarding of a vendor because it is likely that the new tool or supplier will increase their team’s productivity.
We like working with OneTrust, not only because of the company’s ongoing innovation and support, but because they have challenged us to further streamline and automate our business processes.