I look at Vendor Onboarding as a task to ensure that I don’t end up in a bad marriage with a vendor.
It’s all about understanding who the vendor is and pulling out any details that aren’t going to work for you at the earliest opportunity.
Then going deeper to find out if it’s a problem.
And then either approving or rejecting that relationship.
Vendor Onboarding is a risk mitigation play. We’re actively reducing risk levels by proactively checking our vendors on various topics.
I’d much rather find the issue before the vendor is onboarded and we’ve signed a contract with them.
You might come across the phrase Due Diligence. Due Diligence is a key part of the onboarding, but it’s only a part of it.
What to cover as part of Vendor Onboarding
Vendor onboarding within Gatekeeper
These are the key activities we need to get right during the onboarding phase:
- Due Diligence questionnaires completed by the vendor
- Use of tech to rate financial health
- Use of tech to rate cyber health
- Internal reviews and approvals of all vendor data
- Risk capture and mitigation strategy
- Pricing finalisation
- Putting an NDA in place (bonus)
- Contract terms review/negotiation (bonus)
Due Diligence questionnaires completed by the vendor
The questions you ask will vary depending on your company size, the industry you work in and any regulatory or legislative commitments you have.
In short, you’re attempting to ascertain if your vendor is a good fit.
You can determine if the vendor is a good fit by checking:
- Company Structure
- Company Culture
- Employee Vetting
- Intellectual Property
- Data Protection
- Information Security
- Data Protection
- Risk Management
- Disaster Recovery and Business Continuity
You can approach this in as much or as little detail as you need. What matters is that the questions you ask gives your business confidence that this vendor can deliver on the contract.
I believe that any software procurement you are making that involves personal data transfer should face the highest standards of Due Diligence review. Actually, I’d make that any vendor who will process personal data on your behalf.
But if it’s a vendor who is carrying out building works at your office, perhaps I care about:
- Health and safety (a new one from the list above)
- Company Structure
- Company Culture
- Employee Vetting
Now I know that the people coming into my workplace will be vetted, my colleagues will be safe, and we know the vendor is in a stable financial position. That’s a win in my book.
Use of tech to rate financial health
I may have asked my vendor a set of questions about their financial health and stability to ensure continuity of supply.
That’s critical in today’s world, where supply chain disruption is the new normal.
However, by delegating data entry to the vendor, we take their word for it that their answers are accurate. Of course, we could pull up a record on Companies House in the UK and search other jurisdictions’ databases, but the simple truth is... this takes up too much time.
But we can vet the vendor using a solution such as MarketIQ to instantly get a visual indication of the vendor’s credit score.
Check your vendor's financial health with MarketIQ
Use of tech to rate cyber health
I want to know how my vendors approach cybersecurity.
I’m concerned that I may be exposed to risks in my supply chain. This could be due to vulnerabilities found in commonly used software products or services and poor adherence to security practices., Either scenario could cause my company's reputation and financial damage at some point in time.
Cyber security becomes extremely important if it is part of system integration in your product, if this vendor is processing personal data on your behalf, or if the vendor has any access to any of your environments."
We would have asked some questions about this in the Due Diligence phase. The types of questions might have focussed on:
- The firewalls they use
- Physical access to their systems
- Staff training and vetting
- How they manage downtime
To verify this information, we're having a third party confirm our assessment by providing data to us about this vendor and their security regarding cyber. By verifying the data using software such as MarketIQ Finance and MarketIQ Cyber, we've objectively measured the suitability of the vendor to work with us.
But how does this work?
Within MarketIQ Cyber, we can get an A-F grade for each of our vendors, and all we need is the vendor's website URL. Behind each grade is a score of 0-100 (100 being the top grade A).
See your vendor's cyber security score within Gatekeeper
These scores are made up of 10 top-level factors as shown below:
|Network Security||Detecting insecure network settings|
|DNS Health||Detecting DNS insecure configurations and vulnerabilities|
|Patching Cadence||Out-of-date company assets which may contain vulnerabilities or risks.|
|Endpoint Security||Measuring security level of employee workstations.|
|IP Reputation||Detecting suspicious activity, such as malware or spam, within your company network.|
|Application Security||Detecting common website application vulnerabilities.|
|Cubit Score||Proprietary algorithms checking for implementation of common security best practices.|
|Hacker chatter||Monitoring hacker sites for chatter about your company.|
|Information leak||Potentially confidential company information which may have been inadvertently leaked.|
|Social engineering||Measuring company awareness to a social engineering or phishing attack|
These checks give me confidence that the vendors I am onboarding have the required level of cyber protection to work with us.
Reviews and approvals internally of all vendor data
The above methods of data capture, from the Due Diligence questions and the use of MarketIQ, should ideally be reviewed and approved by a subject matter expert. These subject matter experts may exist in your current team (procurement, vendor management or another variation).
If you do not have that subject matter expert in your team, you will want to utilise skillsets in your finance team for credit checks. For cyber checks, this will most likely be an individual in your IT or Information Security teams.
Risk capture and mitigation strategy
If you do uncover any risks with this vendor, and you’re still happy to onboard them despite those risks, you need to capture what those risks are.
One useful way to do this is by detailing potential risks in a vendor risk register.
Here’s what I like to do.
I create a name for the risk, and this, in short, is the specific risk event. This should be as niche as possible. For example, there might be a global recession risk, but is that a risk you can do anything about?
But what if we used the tried and tested ‘5 Whys principle’? Ask why the global recession is a risk with this particular vendor, and you might get an answer."
It might be that the vendor scored a B on their credit check in MarketIQ, that some of the answers they gave indicated they’d lost some accounts, and that their growth is on a downward trend, even if minimal.
So that trend may be exacerbated in a recession which could cause them to have various issues around performance, loss of staff, inability to trade etc. You need to drill down into these risks to see if there is anything you can do about it.
You then want to determine the probability of the risk occurring and the impact, should that risk event occur on your business.
From this, we can detail our mitigation strategy, including regular finance health check meetings throughout the next 2 years. We can set these up as recurring events within Gatekeeper or plan these out in advance and place meetings in calendars.
This isn’t the strictest of onboarding tasks. However, whilst onboarding is undertaken, you do have a good opportunity to continue negotiating on points such as price and payment with your vendors.
Realistically, you’ll have a few days to a few weeks to onboard your vendor. Use this time by talking to them and exhausting (without harming your relationship) key negotiation points.
You can cover this as part of your contract review and negotiation too.
Putting an NDA in place (bonus)
As part of onboarding, you will need to obtain commercially sensitive or proprietary information from your vendor. They may request that an NDA be put in place.
NDAs are a high-volume, often tedious task for Contract Managers and Legal Counsel to deal with. Procurement and Vendor Management teams will sometimes be empowered to handle NDAs.
As part of your onboarding process, I would suggest that an NDA is sent out early on before you send any questionnaires out to the vendor. This prevents a back and forth later on about not being able to share data and that an NDA is needed.
My second part of this suggestion is to make use of the oneNDA.
oneNDA is a standardised NDA that, at the time of writing the first draft of this article, 601 companies have adopted. That’s incredible."
I adopted oneNDA at the FinTech I worked at, which significantly cut down NDA negotiations. To the point where every NDA I issued was accepted, often within minutes or sometimes a couple of days.
Contract terms review/negotiation (bonus)
To speed up the time to onboard and contract with a vendor, you must undertake both activities simultaneously.
There is a risk that the onboarding doesn’t work out, and you have to part ways with the vendor before the relationship starts. However, if we work on the 80/20 principle, this would fall into 20% and likely be far lower.
I’d rather take the upsides of having Vendor onboarding and their contract review completed at the same time. This is only possible if you have a digitalised vendor onboarding and contract review process, with all vendor data accessible by Procurement and Legal.
How to create a vendor onboarding process
Dedicated vendor management team to focus on onboarding
You need a team that focuses on onboarding if you’re going to do it right. Vendor onboarding takes time and effort to carry out each day. Let alone the upkeep of questionnaires, process enhancements and the overarching strategy around onboarding.
This team could be part of a broader Procurement or Supply Chain team. If you’re a small team, you might have a minimum of two people assigned to manage onboards or spread the onboards among all team members.
What the end-to-end process should look like
A typical onboarding process will look like this:
- Internal request to onboard the vendor
- Independent checks as early as possible
- Sign an NDA with the vendor
- Sent Questionnaire to the vendor
- Review Answers Internally
- Approve/Reject vendor
- Complete onboarding
The key is ensuring we keep each phase of the process simple.
You should ask yourself:
“Am I going to do anything with the data collected from the answer to this question?”. If the answer is no, you should consider leaving this question out of the form.'
We want to focus both your and the vendor’s efforts on the key questions that give us data that we can then work with to enhance compliance, control, and relationships.
Data we need to collect along the way
Every answer or piece of information you receive throughout the onboarding process from your vendor is data. And this is data that we should be able to use in the following ways:
- Inform how we categorise the vendor
- Discover potential risks that we need to protect against
- Provide insights around data security, software management, disaster planning and more
- Evidence to an auditor that we are onboarding vetted vendors only
- Evidence to customers that we are managing our supply chain
You could add other use cases for the data that applies to your specific business. But if you work backwards from“what data do we need to show that we are vetting all vendors?”, you’re going to end up with a more useful questionnaire and process with that strategic thought in mind.
How we should review onboarding information
Reviewing the data you collect during the vendor onboarding phase shouldn’t be done in isolation within the procurement team.
The procurement team won’t necessarily be experts on points such as information security, transfer of personal data, and financial health of a company. You might want to bring in the experts to assist, such as your InfoSec, Data Protection, and Finance Teams."
You must be clear on who can reject or accept a vendor’s responses. Ensure this is set out in one of your plain language, easy-to-read policy documents. But don’t rely on that. We all know they aren’t the most read document in any company.
Instead, you could build approvals directly into your software solution. When doing this, I created specific approvals on the workflows within Gatekeeper, using the Kanban Workflow Engine, to enable specific teams and the members of those teams to approve the sections relevant to them only.
I wasn’t relying on a policy document.
I had it built into the process.
I had communicated this throughout the implementation of Gatekeeper. I spent time with these teams going through this and asking them - “What do you need me to do to make this easy on you?”.
Then I made it a reality for them by giving them visibility and control over the data they needed.
Setting the tone of the relationship
You will upset some vendors if you have a big, complex onboarding form that treats every vendor the same way. We cannot do this in a world where vendors have leverage, are looking for customers of choice, and get to pick and choose who they sell to.
Be thoughtful with your questions.
Use Gatekeeper to tailor the questions to specific vendor types, categories and any other data point you can imagine. There are no limits to what is possible here.
Make a tailored onboarding experience that is hands-off for you except for reviewing data, approving responses, and communicating with the vendor.
This is a game-changer for you.
By using Gatekeeper, you can create a more efficient onboarding process. With our onboarding forms, you can take complete control.
Give visibility to your entire business on all of the key data points you want to capture - from finance checks to business information - and ensure that only vendors that have been onboarded through Gatekeeper can be used.
For more information about how Gatekeeper can help with your vendor onboarding requirements, reach out to us now.