Policy, Program and Procedures

Hello All,

Our IS department is in the process of auditing their systems and noticed, we have several programs/artifacts that we no longer use. After much discussion, we realized we don't have an official offboarding process/procedure in place. Our Business Owners are quick to want to get their projects implemented but seem to drop the ball when it's time to terminate them.

We're looking to add information on offboarding in our IS and VM policies and create a checklist of who all needs to be contacted when we terminate a product, service or vendor, so information is removed appropriately. We ultimately feel the Business Units are responsible for notifying IS, IT, VM, etc. and need to be sure they are accountable.

Do any of you have paragraphs in your policies or offboarding policies you can share? This will be very helpful, as we move forward with building this process.

Have a great weekend! 

Well, offboarding includes both the closure of the contract, but also the end of the relationship with your business. So, think about it in both of those perspectives as you develop checklists and tasks.  We advise teams to consider an "exit strategy," especially for Critical Vendors, during the planning phase but up to contracting.  This covers what the business/customer will do without the availability of the product/service.

Here are a few examples:

1. Alternate: Replace the vendor
2. Absorb: Bring the activity in-house
3. Remove Dependency: Discontinue the activity
4. A combination of the above three methods

In terms of who is involved, here are some things to ask and consider:

1. Do we need to notify or seek approval from the board or senior leadership to terminate the vendor?
2. Who will verbally notify the vendor of the termination? That may be Legal or may be the business utilizing the service (e.g., vendor owner).
3. Who will draft and send written notice of the termination? Is that a legal team responsibility?
4. Which termination activities are our responsibility and which ones are the vendors?
5. Who will manage and ensure the vendor is doing what is expected of them contractually?
6. Are there any open invoices for the vendor? Will accounts payable need to run a report?
7. Do we need to perform any risk assessments before, during, or after offboarding the vendor?
8. Who is responsible for updating the vendor database and archiving the vendor records after offboarding?
9. How will we manage issues? If there are delays returning equipment or confirmation of disconnected systems, document as part of your risk management program. Ensure an owner is assigned and escalate to legal and senior management as needed.

I hope this helps and would be interested to hear from other members on this topic.