Example — Onboarding a third party

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Onboarding a third party

    Acme, a large manufacturing company, is onboarding a new third party for critical component supply. To ensure reliability and mitigate risks, Acme follows a comprehensive third-party risk management (TPRM) onboarding process.

    Show full answer Show less

    Key Features

    • Request Process: Employees submit a business case to initiate a risk assessment, which is reviewed and approved by a TPR manager.
    • Inherent Risk Questionnaire (IRQ): The IRQ assessor conducts an internal assessment to evaluate risks related to financial stability, operational capacity, quality standards, and compliance.
    • Due Diligence: Following the IRQ, Acme requests documentation from the third party, utilizing assessment templates to streamline the process.
    • Contractual Agreements: TPR contract negotiators include risk-related provisions in contracts based on findings from the IRQ and due diligence processes.
    • Ongoing Monitoring: Acme implements regular assessments of the third party's performance and compliance through audits and communication channels.

    Key Outcomes

    This structured onboarding process enables Acme to identify and mitigate risks effectively while ensuring that third parties meet compliance and quality standards. Through ongoing monitoring, Acme maintains oversight of third-party performance, safeguarding its interests and proprietary information.

    Acme, a large manufacturing company, is in the process of onboarding a new third party to supply critical components for their production line. To help ensure the third party's reliability and to mitigate potential risks, Acme starts a thorough third-party risk management onboarding process.

    Onboarding process example

    Request process
    Any employee (typically a user who wants to do business with a third party) makes the business case to start the due diligence process for a risk assessment.

    A Third-party Risk (TPR) manager reviews the request for due diligence for the engagement and approves it.

    Inherent Risk Questionnaire (IRQ) process

    After the request is approved, the IRQ assessor completes the internal assessment by responding to the IRQ.

    Based on the information gathered, Acme assesses the potential risks associated with the third party. They evaluate factors such as financial stability, operational capacity, adherence to quality standards, compliance with regulations, and the third party's ability to meet delivery timelines. This assessment helps Acme understand the third party's risk profile and determine the appropriate risk mitigation strategies.

    Due diligence process: Compliance verification and data security and privacy assessment

    When the IRQ process is complete, Acme's TPRM application sends questionnaires and requests for documentation to the third party. As part of an assessment, you might send multiple questionnaires and document requests. Acme might request documents: the third party's certifications, licenses, or audit reports to validate compliance.

    Note:
    To simplify and automate the process of determining which questionnaires and document requests to send to a third party of this type, Acme's staff has developed assessment templates. They defined questionnaire templates, document request templates, or both and then grouped them into an assessment template. Acme can reuse the template to send the appropriate questionnaires, document requests, or both to similar third parties in future assessments.

    Acme uses the third party's responses and internal analysis to determine whether the third party meets all necessary compliance requirements. This includes verifying the third party's compliance with applicable laws and regulations, such as environmental regulations, labor laws, and anti-corruption policies.

    Given the sensitive nature of the components involved, Acme evaluates the third party's data security and privacy practices. They assess the third party's information security measures, data protection policies, access controls, and vulnerability management processes. If the third party will have access to Acme's proprietary information or customer data, they might require the third party to undergo a cybersecurity audit or provide evidence of their data protection measures.

    Contractual Agreements and Risk Mitigation

    To protect their interests, the TPR contract negotiator at Acme (often corporate counsel) incorporates specific contractual provisions to address identified risks. The contract negotiator uses the information gained in the IRQ and due diligence processes to include clauses related to compliance, quality standards, confidentiality, data protection, business continuity, and dispute resolution mechanisms. The contract can also outline performance metrics, expectations, and termination clauses if there’s a non-compliance or breach.

    Ongoing Monitoring and Review

    Acme establishes an ongoing monitoring process to regularly assess the third party's performance and adherence to agreed-upon terms. Persons at your organization might manually perform periodic financial reviews, quality audits, site visits, or surveys. They also establish communication channels to address any concerns or changes in the third party's risk profile.