Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Establishing a Third-Party Vendor Onboarding Process

6 min read
Featured Image

One of the biggest challenges in establishing a good third-party risk management (TPRM) program is getting the assessment process adopted by the organization as part of new third-party vendor onboarding. This is probably attributed to the fact that the process should truly begin with the individual lines of business or vendor owners, and not with the TPRM managers who own and promote it.

Regardless, there are tried and true methods for assuring all third-party vendors are vetted before signing a contract to make sure they’re selected with the utmost consideration for organizational security and strategic success.

The Goal of the Process

Establishing a third-party vendor vetting and onboarding process gives your organization the opportunity to make informed decisions on your vendor relationships. It’s a way to thoughtfully review all the facts, make sure the best vendor is being selected and incorporate any changes that may benefit your organization while you still have pre-contract leverage.

Establishing the Process

The best way to vet and onboard your third-party vendors is to establish a repeatable process. Begin with determining who the key players should be and establish and document their respective responsibilities in a policy/standards or procedures document. You can then communicate the process throughout your organization to assure it’s adequately adapted.

Key Players: Before moving into the actual process, you’ll need to assign duties and responsibilities to certain individuals. Here are a few of the players who will play a key role in onboarding your third-party vendors:
      • Process Owners: If you have people dedicated to vendor management, then they’ll likely be the managers of this process. Line of business personnel who wish to establish the relationship (i.e., vendor or product owners) will be ultimately responsible for the vendor and all the associated risks, so they should typically be the ones driving and taking ownership of the process as well.
      • Reviewers: In many cases, you’ll want to collaborate with other departments, such as information security, IT, business continuity, project management, compliance or legal and procurement. These subject matter experts (SMEs) often play a crucial role in the success of a TPRM program, especially as vendor relationships tie into processes and functions that they manage.
      • Approvers: You’ll also need to consider what levels of approval are necessary to add on a new vendor. Should all contracts be reviewed by a particular role or management level? Is approval siloed within lines of business? Does a legal review have to happen every time? These steps and approvals should be considered when establishing your process.
Responsibilities: Once we’ve figured out the players involved, we then need to determine what each of their responsibilities will be within this process. Some questions to ask are:
      • How are prospective vendors selected and requested? Perhaps there’s an existing vendor or product list that business units can refer to when they’re starting the vendor selection process. Sometimes this is accomplished by way of a “new vendor request form”.
      • How will the process be controlled? Consider what approvals, deliverables and checkpoints are necessary to track and monitor the success of the process.
      • Who determines the scope of vendors that must be formally vetted? Decide whether every request should go through a single vetting mechanism to determine applicability. This may be something that business units can determine themselves based on internal guidelines.
      • Who must weigh into a vendor assessment and under what circumstances? You may need to include subject matter experts in areas such as information security, compliance, business continuity, finance or legal, so consider how and when they should get involved.
      • Who has the approval authority for contract execution and/or acceptable due diligence? Consider who is ultimately permitted to approve new contracts and what the prerequisites are. If there are exceptions to this process, decide if they need to be formally documented.
The Process: Now that you’ve defined the key players and their responsibilities, it’s time to build the repeatable process. Review the following steps to ensure the vetting and onboarding process goes smoothly:
      1. Establish the business need. Believe it or not, the vendor vetting process should begin with establishing a business need. In many cases, it may be prudent to refer to the existing vendor catalogue to see if a new vendor is even necessary, or if there is an existing service provider that can meet those needs.
      2. Shop around. New vendors should be thoughtfully selected. This is especially important when the prospective services are complex in nature. Sometimes, a request for proposal (RFP) can be used to compare notes on different vendors and facilitate the decision-making process.
      3. Determine inherent risk and criticality of the engagement. This is where you seek to understand and document the fundamental aspects of the relationship to understand the risk and criticality of what you’re looking for a vendor to provide. This assessment is a way to determine the level of vetting that needs to be conducted and can also tell you who internally should be part of the onboarding process, as they have stake in the proposed service.
      4. Conduct due diligence and determine residual risk. This is the process of collecting and reviewing information about the vendor to understand how they plan to handle the identified risks. It’s best to collaborate with identified stakeholders when determining residual risk, after considering the vendor’s controls.
      5. Establish contractual standards. Once the residual risks have been identified, try to incorporate any necessary added protections into the contract. Risk assessment and due diligence often offer valuable insight into how to best design service level agreements and metrics, breach notifications and business continuity requirements. If nothing else, these actions impose an obligation to clear up any existing discrepancies and allow for a continued right to audit.
      6. Decide on a vendor. You might not get to this step before knowing which vendor can best meet your needs. However, if it’s a close race between two or a few, sometimes due diligence information and contract negotiations help make that final decision.
      7. Garner appropriate approvals. There could be multiple approvals necessary for one vendor onboarding process. This can include adequate review and approval by various SMEs or approval from risk professionals that an adequate risk assessment process has been completed. Legal approval that the proposed contract adequately protects your organization may also be required, and of course, final leadership approval for onboarding and execution of the contract.
        *Pro Tip: Most leading TPRM regulators require board-level approval for new vendor engagements which will be significant or critical in nature.
      8. Document and sign. Once final approval has been granted, it’s time to execute the contract. Just remember that the contract isn’t the only valuable document to keep in your vendor database. Each significant step should be cataloged in some way, such as the initial request form, a completed risk assessment and recorded rating, the assessment actions, steps, timing and results and the approval process and associated dates. These are the documented controls of your process and should be collected and safely stored.

Once the contract is signed, third-party risk management is not over. Be sure to follow through on open items, continue to monitor the vendor relationship and keep the appropriate stakeholders in the loop, especially as they may align with any projects, implementation, access management, etc.

As we often say, the best way for YOUR organization to establish a vendor vetting and onboarding process is contingent on the structure and resources unique to your organization. But, these foundations, along with some top-down strategic guidance, are recipes for success. This is a tried-and-true process that helps your organization consolidate resources, assess, communicate and mitigate risks, collaborate with the necessary stakeholders and thoughtfully establish new relationships. For some, this process will prove to be a true strategic advantage.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo