Skip to content
Contact us
  • There are no suggestions because the search field is empty.

Vendor onboarding: the process

Why onboarding requests matter 

Vendor onboarding is the cornerstone of third-party risk management. To evaluate your attack surface, you have to understand 1) who your vendors are and 2) the risk level they pose to your org based on their access to your data and processes.

You’ll use vendor onboarding requests to: 

  • Determine whether or not your organization should begin (or continue) a business relationship with a vendor. 
  • Understand how to evaluate and assess the vendor. You’ll use onboarding requests to capture and store details of the business engagement. This might include things like whether the vendor has access to customer or employee Personally Identifiable Information (PII), which could signal that a rigorous risk assessment is required.
  • Capture information about the specific business relationship.
  • Automatically populate labels, portfolios, tiers or custom attributes. 

Process(es)

Depending on your organization's procurement maturity, vendor onboarding typically follows one of two paths:

 

Inbound — ideal 

Outbound — reactive 

Trigger 

A vendor onboarding request is submitted before purchase.

You discover a vendor already in use.

Action 1

Evaluate and assess the vendor to the standards appropriate for their tier.

Send an onboarding request to an internal champion.

Action 2

Approve or reject the vendor.

Evaluate and assess the vendor to the standards appropriate for their tier.

Action 3

Waive and seek risk remediation as needed.

Waive and seek risk remediation as needed.

Result 

Risk is mitigated before exposure.

Risk is addressed retroactively.

In both cases, you’ll be getting information from an internal team member, using that information to assign the vendor a tier, and then evaluating the vendor as needed. 

You know the process, it's time to set up the mechanics that make it easy to do this efficiently and well. 

Launch a vendor onboarding request process 

🌱New to TPRM or short on time? No worries — we’ve got you covered. Check out the standard vendor onboarding and tiering section below. 

✨Ready to level-up? Take a little time to configure that vendor onboarding process to meet your exact needs. 

Customized vendor onboarding and tiering 

  1. Create a tiering rubric. A tiering rubric in an internal classification system. It defines what a Tier 1, Tier 2, etc vendor is. You'll use onboarding requests to understand a vendors tier, and you'll use the vendor's tier to understand what criteria they should be evaluated against. Ex: A tier 1 vendor might meet one or more of the below criteria:
    1. A business-critical vendor
    2. Access to PII 
  2. Configure our onboarding request questionnaire. Make sure you’re asking the questions your organization needs answers to. From your friendly CPRM platform: this is crucial. 
  3. (optional) automate tiering. Take a moment to make your life easier by defining automations that automatically apply labels, tiers, portfolios and custom attributes. 
  4. Turn on the onboarding portal (for Professional accounts and above). This allows your team to proactively reach out with onboarding requests and makes it easier to be looped into the procurement process. This is what you’ll use to carry out the ‘Inbound’ path explained in the table above.  
  5. Train your team. Let them know what process they’re expected to follow. If you’re using the portal make sure everyone knows how to get to it and when to use it. Psst we have resources to help you with this. 
  6. Send outbound onboarding requests when you find out about a potential or existing vendor and someone hasn’t used the portal. 
  7. Triage and action all incoming onboarding requests. 

Standard vendor onboarding and tiering 

  1. Use UpGuard’s tiering rubric. A tiering rubric in a classification system. It defines what a Tier 1, Tier 2, etc vendor is. This determines exactly how you’ll be evaluating and assing each vendor. 
  2. Read the default onboarding questionnaire. We’ve already created an onboarding questionnaire for you! It’s ready to use, but we do recommend giving it a read through so that you know what questions it asks. If you have time, do basic edits to remove or add questions to make it better fit your needs. 
  3. (optional) automate tiering. Take a moment to make your life easier by defining automations that automatically apply labels, tiers, portfolios and custom attributes. 
  4. Turn on the onboarding portal (for Professional accounts and above). This allows your team to proactively reach out with onboarding requests and makes it easier to be looped into the procurement process. This is what you’ll use to carry out the ‘Inbound’ path explained in the table above.  
  5. Train your team. Let them know what process they’re expected to follow. If you’re using the portal make sure everyone knows how to get to it and when to use it. 
  6. Send outbound onboarding requests when you find out about a potential or existing vendor and someone hasn’t used the portal. 
  7. Triage and action all incoming onboarding requests.