Onboarding process example

Request process

Any employee (typically a user who wants to do business with a third party) makes the business case to start the due diligence process for a risk assessment.

A Third-party Risk (TPR) manager reviews the request for due diligence for the engagement and approves it.

Inherent Risk Questionnaire (IRQ) process

After the request is approved, the IRQ assessor completes the internal assessment by responding to the IRQ.

Based on the information gathered, Acme assesses the potential risks associated with the third party. They evaluate factors such as financial stability, operational capacity, adherence to quality standards, compliance with regulations, and the third party's ability to meet delivery timelines. This assessment helps Acme understand the third party's risk profile and determine the appropriate risk mitigation strategies.

Due diligence process: Compliance verification and data security and privacy assessment

When the IRQ process is complete, Acme's TPRM application sends questionnaires and requests for documentation to the third party. As part of an assessment, you might send multiple questionnaires and document requests. Acme might request documents: the third party's certifications, licenses, or audit reports to validate compliance.

Nota:

To simplify and automate the process of determining which questionnaires and document requests to send to a third party of this type, Acme's staff has developed assessment templates. They defined questionnaire templates, document request templates, or both and then grouped them into an assessment template. Acme can reuse the template to send the appropriate questionnaires, document requests, or both to similar third parties in future assessments.

Acme uses the third party's responses and internal analysis to determine whether the third party meets all necessary compliance requirements. This includes verifying the third party's compliance with applicable laws and regulations, such as environmental regulations, labor laws, and anti-corruption policies.

Given the sensitive nature of the components involved, Acme evaluates the third party's data security and privacy practices. They assess the third party's information security measures, data protection policies, access controls, and vulnerability management processes. If the third party will have access to Acme's proprietary information or customer data, they might require the third party to undergo a cybersecurity audit or provide evidence of their data protection measures.

Contractual Agreements and Risk Mitigation

To protect their interests, the TPR contract negotiator at Acme (often corporate counsel) incorporates specific contractual provisions to address identified risks. The contract negotiator uses the information gained in the IRQ and due diligence processes to include clauses related to compliance, quality standards, confidentiality, data protection, business continuity, and dispute resolution mechanisms. The contract can also outline performance metrics, expectations, and termination clauses if there’s a non-compliance or breach.

Ongoing Monitoring and Review

Acme establishes an ongoing monitoring process to regularly assess the third party's performance and adherence to agreed-upon terms. Persons at your organization might manually perform periodic financial reviews, quality audits, site visits, or surveys. They also establish communication channels to address any concerns or changes in the third party's risk profile.