Most VRM implementations have a beautiful risk model and a flow that takes seven weeks to onboard a new vendor. Procurement gives up, business units bypass, and the risk register has the assessments your security team did, not the vendors your business actually uses.
The flow design that scales
Onboarding fails at the slowest gate. The slowest gate is usually a security questionnaire reviewer with a 5-day SLA and no backup. Redesign the flow around three principles: tier first, parallelize tracks, time-box every gate.
Tier first, not last
Run a 30-second tier classifier as the first step. Three tiers:
Tier 1: Critical data access, fund movement, customer PII
-> Full SIG questionnaire, security architecture review
Tier 2: Internal data access, no customer PII
-> Lite questionnaire, sample evidence
Tier 3: No data access (marketing tools, office services)
-> Self-attestation onlyThree-quarters of vendors are tier 3. Their assessment should take a day, not a month.
Parallel tracks, not serial gates
Security review, legal review, and financial review do not depend on each other. Run them in parallel from the moment tier is set. Use Flow Designer’s parallel branches and a join at the end.
Flow: Vendor Onboarding
Stage: Tier
Parallel:
Branch A: Security review
Branch B: Legal review
Branch C: Financial review
Stage: Approval (waits for all three)Naive serial flow: 21 days. Parallel flow with the same SLAs: 7 days.
Time-box every gate with auto-escalation
Every gate has a 5-business-day SLA. At day 5, the task escalates to the gate owner’s manager. At day 7, escalates to the procurement lead. The escalation is automatic, not a polite reminder.
// Scheduled: gate SLA breach
var gr = new GlideRecord('sn_vdr_risk_asmt_assessment');
gr.addQuery('state', 'in_progress');
gr.addEncodedQuery('sys_created_onRELATIVELT@dayofweek@ago@5');
gr.query();
while (gr.next()) {
new VendorEscalation().escalate(gr.getUniqueValue());
}Reuse evidence across vendors
A SOC 2 Type II report from a major SaaS provider should not be re-reviewed every quarter for every business unit asking for them. Build an evidence library keyed on vendor and report period. Reviewers reuse the prior assessment if the report is unchanged.
Continuous, not point-in-time
The annual reassessment cadence is performative. Real risk monitoring requires continuous inputs: news monitoring, breach notifications, certificate transparency for surface changes. Wire the inputs to risk score updates without re-running the questionnaire.
What to do this week
Pull your last 30 vendor onboardings. Bucket by tier. If tier-3 vendors took more than three business days, your serial flow is the culprit. Refactor to parallel branches before next quarter’s vendor onboarding wave.
