Example — Onboarding a third party

  • Release version: Xanadu
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Onboarding a Third Party

    Acme, a large manufacturing company, is onboarding a new third party to supply critical components. To ensure reliability and mitigate risks, they follow a thorough third-party risk management (TPRM) onboarding process.

    Show full answer Show less

    Key Features

    • Request Process: Employees initiate due diligence for risk assessments, which are reviewed and approved by a TPR manager.
    • Inherent Risk Questionnaire (IRQ) Process: Upon approval, the IRQ assessor evaluates risks based on factors like financial stability and compliance.
    • Due Diligence Process: Acme's TPRM application sends questionnaires and document requests to the third party to verify compliance and assess data security practices.
    • Assessment Templates: Acme has developed templates to streamline the sending of questionnaires and document requests for similar third parties in the future.
    • Contractual Agreements: TPR contract negotiators include specific clauses in contracts to address identified risks and establish performance metrics.
    • Ongoing Monitoring: Acme conducts regular assessments of the third party’s performance and maintains communication to manage risk changes.

    Key Outcomes

    This structured approach enables Acme to effectively manage risks associated with third-party engagements, ensuring compliance with regulatory standards and safeguarding proprietary information. By implementing ongoing monitoring, Acme can adapt to changes in the third party’s risk profile, maintaining a secure and compliant supply chain.

    Acme, a large manufacturing company, is in the process of onboarding a new third party to supply critical components for their production line. To help ensure the third party's reliability and to mitigate potential risks, Acme starts a thorough third-party risk management onboarding process.

    Onboarding process example

    Request process
    Any employee (typically a user who wants to do business with a third party) makes the business case to start the due diligence process for a risk assessment.

    A Third-party Risk (TPR) manager reviews the request for due diligence for the engagement and approves it.

    Inherent Risk Questionnaire (IRQ) process

    After the request is approved, the IRQ assessor completes the internal assessment by responding to the IRQ.

    Based on the information gathered, Acme assesses the potential risks associated with the third party. They evaluate factors such as financial stability, operational capacity, adherence to quality standards, compliance with regulations, and the third party's ability to meet delivery timelines. This assessment helps Acme understand the third party's risk profile and determine the appropriate risk mitigation strategies.

    Due diligence process: Compliance verification and data security and privacy assessment

    When the IRQ process is complete, Acme's TPRM application sends questionnaires and requests for documentation to the third party. As part of an assessment, you might send multiple questionnaires and document requests. Acme might request documents: the third party's certifications, licenses, or audit reports to validate compliance.

    Note:
    To simplify and automate the process of determining which questionnaires and document requests to send to a third party of this type, Acme's staff has developed assessment templates. They defined questionnaire templates, document request templates, or both and then grouped them into an assessment template. Acme can reuse the template to send the appropriate questionnaires, document requests, or both to similar third parties in future assessments.

    Acme uses the third party's responses and internal analysis to determine whether the third party meets all necessary compliance requirements. This includes verifying the third party's compliance with applicable laws and regulations, such as environmental regulations, labor laws, and anti-corruption policies.

    Given the sensitive nature of the components involved, Acme evaluates the third party's data security and privacy practices. They assess the third party's information security measures, data protection policies, access controls, and vulnerability management processes. If the third party will have access to Acme's proprietary information or customer data, they might require the third party to undergo a cybersecurity audit or provide evidence of their data protection measures.

    Contractual Agreements and Risk Mitigation

    To protect their interests, the TPR contract negotiator at Acme (often corporate counsel) incorporates specific contractual provisions to address identified risks. The contract negotiator uses the information gained in the IRQ and due diligence processes to include clauses related to compliance, quality standards, confidentiality, data protection, business continuity, and dispute resolution mechanisms. The contract can also outline performance metrics, expectations, and termination clauses if there’s a non-compliance or breach.

    Ongoing Monitoring and Review

    Acme establishes an ongoing monitoring process to regularly assess the third party's performance and adherence to agreed-upon terms. Persons at your organization might manually perform periodic financial reviews, quality audits, site visits, or surveys. They also establish communication channels to address any concerns or changes in the third party's risk profile.