(270) 506-5140 CONTACT US
Best Practices

How to Onboard a New Vendor

Sep 4, 2019 by Gordon Rudd, CISSP

Businesses don’t run without vendors. You may only have a handful, or you may have hundreds or even thousands, but no matter what, you have at least one. Your telephone service provider is, in fact, a vendor. The more vendors you have, the more complex vendor management becomes.

It’s critical that you pay particular attention to the vendor onboarding process. Onboarding a new vendor is also known as vendor selection. This is one of the areas of vendor management that can save your organization a lot of headaches and money. Vendor onboarding should be a comprehensive process that your organization puts every vendor through to thoroughly vet and ultimately select the vendor that’s the best fit for your organization.  

8 Steps to Onboard a New Vendor

At a minimum, your process should consist of at least these eight steps. The more criticality your organization assigns a vendor, the more rigorous the process should be. Let’s dive in.

1. Always research.

Perform internet searches, sit through countless webinars, listen to numerous sales pitches and ask anyone you can think of for recommendations – opinions by word of mouth are powerful. Make sure you’re aware of all the options that you have in the particular market space that you’re seeking a vendor.

2. Issue a Request for Proposal (RFP).

I like having a document your organization and every potential vendor can refer to for clarification of exactly what product or service is being sought and how it fits into your organization. I always recommend you send out an RFP to the top 3-5 vendors on your radar. Within the RFP, outline your organization’s business objectives and technical requirements. Make it crystal clear what you need the product/service to accomplish and request the vendor formally responds to every point in the RFP with an affirmation that they can meet each requirement or not.

3. Begin to compare.

I always like to list out the features and functions that have been included in the RFP. You could use a spreadsheet to do this, but a software platform with a vendor comparison feature makes it even easier. Now, you’re ready to draft a pros and cons list regarding each vendor. This process will help you see the big picture. Where does each vendor excel, what critical requirements does the vendor lack and so on.

4. Collect due diligence.

This is important! I can’t stress it enough. Do your due diligence. The due diligence requirements are going to vary depending on the criticality and riskiness of the vendor. The more critical the vendor or the riskier the vendor, the more due diligence you will need to perform. For example, you’re going to request a SOC report if you’re looking into a new core system processor, but you won’t request that if you’re seeking new snow removal services.

Here’s the due diligence  you should always obtain:

  • Mutual Non-Disclosure Agreement (MNDA) or Confidentiality Agreement
  • Basic Information (i.e., full legal name, address, all physical locations, Website URL)
  • Ownership structure and affiliated companies
  • Tax ID
  • State of Incorporation
  • Articles of Incorporation
  • Secretary of State Check
  • Business license
  • Certificate of Good Standing
  • Credit report
  • OFAC/PEP checks
  • Any “doing business as” or “also/previously known as” (d/b/a, aka, pka)
  • Dun & Bradstreet (D&B) report
  • Vendor complaints research findings
  • Vendor negative news search findings
  • List of subcontractors / fourth parties
  • Picture or Google map view of facility (if required)
  • Conduct check of CFPB Complaint Database and/or Better Business Bureau rating

5. Complete a vendor risk assessment.

Always! After all, isn’t our job to assess risk? Determine if the vendor is high, moderate or low risk to the organization. Also, determine if they’re critical or non-critical to the organization.

6. Obtain references.

Once you’ve narrowed it down, ask your preferred vendors for professional references or case study/customer success story documentation. It’s always a good idea and best practice to speak to someone or read about the product/service and learn the customer’s firsthand experience.

7. Develop an exit strategy.

So, here we are, all excited to be bringing a new vendor onboard. Now is the time to curb your enthusiasm and look at how you would unwind the deal you are about to enter into with the vendor. This is the perfect time to figure out who your backup vendor is going to be before you’re ready to move forward with the contract. Don’t forget to write the applicable portions of your exit strategy into the contract.

Yep, upfront, before you even enter the contract, you need to think about how to exit the contract. Things happen. You’ll want to know how any data will be returned to you or destroyed, how quickly you can replace the vendor or bring the product/service in-house, etc.

8. Keep senior management and the board informed.

Throughout the entire onboarding process keep senior management and the board updated. Be sure to present them with a summary of the due diligence, risk assessment, your planned ongoing monitoring and the proposed contract prior to signing on the dotted line.

These eight steps will save you from contracting with the wrong provider. Doing your due diligence in the vendor selection phase helps guarantee that you’re selecting the best vendor in the space and best fit for your organization.

Go one step further with onboarding your vendors. Download this eBook.

vendor onboarding risks

Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP

Subscribe to the Venminder Blog