Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Onboarding guide and check list

    Posted 10-23-2025 12:12 PM

    Hi, would anyone be so kind as to share their onboarding guide/checklist from start to finish? We are coming up with a guide to distribute to departments for them to use while vetting new vendors and gathering due diligence documents before onboarding. I feel that I may be missing steps. There seems to be a disconnect with how I do it vs how I am explaining it to them. I would really like to be able to send them a guide to follow so there is no confusion. 

    thank you



    ------------------------------
    Tara Murray
    ------------------------------


  • 2.  RE: Onboarding guide and check list

    Posted 10-23-2025 12:17 PM

    Hi Tara! Creating onboarding guides can get complicated when you have to take into consideration all the departments that may have a hand in onboarding vendors. Thankfully, there's many resources here in Third Party Thinktank! Here is an onboarding toolkit that includes a checklist, eBook, and infographic. We also have other onboarding resources in the library here. Hope these resources help! 

    -------------------------------------------

    Original Message


  • 3.  RE: Onboarding guide and check list

    Posted 10-27-2025 07:50 AM
    The timing and frequency of ongoing monitoring typically depend on the vendor's risk tiering. In my current role, once a vendor onboarding process is initiated, we conduct an inherent risk assessment to determine the level of risk the vendor introduces to the engagement.
    Our assessment considers several factors, including:
    Service dependency and criticality
    Type and sensitivity of data shared
    Concentration risk, transaction risk, and reputational impact
    Based on this assessment, vendors are categorized into material, medium, low, or zero-risk tiers. We then request due diligence documentation aligned with the vendor's risk level and initiate an SME review once the documents are received. After the SME review is completed, the process proceeds to the contracting phase.
    In short, the ongoing monitoring cadence is risk-based:
    Material risk vendors: annual review
    Medium risk vendors: biennial review
    Low risk vendors: triennial review
    This approach ensures that ongoing monitoring activities remain proportionate to the risk exposure and that higher-risk vendors receive more frequent scrutiny.