Example: Onboarding a third party

  • Release version: Zurich
  • Updated March 12, 2026
  • 2 minutes to read

    • Acme, a large manufacturing company, is in the process of onboarding a new third party to supply critical components for their production line. To help ensure the third party's reliability and to mitigate potential risks, Acme starts a thorough third-party risk management onboarding process.

    Onboarding process example

    This example illustrates a typical third-party onboarding flow in the TPRM application, from initiating a request through ongoing monitoring.

    Request process

    An employee initiates onboarding by submitting a third-party due diligence request in the Employee Center.

    A Third-party Risk (TPR) manager opens the request record from the Requests list and selects Approve.

    After approval, the TPR manager selects Start due diligence to move the request into the due diligence workflow.

    For more information, see Requesting third-party risk due diligence and Request due diligence for a third-party engagement.

    Inherent Risk Questionnaire (IRQ) process

    After due diligence starts, an inherent risk assessment is generated.

    On the Tasks page of the Vendor Management Workspace, the IRQ assessor opens the request record, navigates to the associated assessment, and opens the Inherent Risk Questionnaire.

    The assessor answers the IRQ questions and submits the assessment to calculate the third party’s inherent risk level.

    For more information, see Assessing your third-party risk and Respond to an internal assessment.

    Due diligence process: Compliance verification and data security and privacy assessment

    When the IRQ is complete, the assessment continues through the due diligence phase.

    From the assessment record, the TPR manager or TPR assessor selects Submit to third party to send questionnaires and document requests.

    Third-party contacts receive and respond to questionnaires and document requests in the third-party portal.

    For more information, see Assessing your third-party risk, Create an external assessment, Respond to a questionnaire for a third party or engagement, and Review responses to external questionnaires.

    Note:
    To streamline this step, Acme uses assessment templates, which group predefined questionnaire and document request templates for reuse.

    Acme reviews the submitted responses and uploaded documents from the assessment record to verify regulatory, compliance, and security requirements.

    Contractual agreements and risk mitigation

    After due diligence is complete, contract risk requirements are finalized.

    The TPR contract negotiator reviews assessment findings and confirms that required contractual clauses are included in the third-party agreement.

    For more information, see Managing the contract risk process and Accessing DD requests that are in the contract risk process.

    Ongoing monitoring and review

    Once onboarding is complete, Acme monitors the third party throughout the engagement lifecycle.

    Stakeholders review ongoing assessments, monitoring results, and periodic reviews from the third-party record to track changes in risk posture.

    For more information, see Monitoring your third-party risk.