A major national department store retailer with nearly 300 locations across 29 states and over 50,000 employees recognized that its approach to vendor risk management had not kept pace with the complexity of its supply chain. The organization works with hundreds of third parties spanning merchandise suppliers, logistics providers, technology vendors, and service contractors. Each relationship carries its own risk profile, and the existing process for tracking and evaluating those risks had become difficult to scale.
Vendor information lived in spreadsheets. Assessment requests went out via email. Follow-ups happened when someone remembered to check. There was no consistent lifecycle, no automated triggers for reassessment, and no self-service mechanism for business teams to initiate vendor onboarding in a structured way.
FLLR was engaged to implement OneTrust's Third Party Risk Management module and establish the governance framework needed to turn ad-hoc vendor oversight into a repeatable, auditable program.
The Challenge
The organization needed to move from reactive vendor management to a proactive risk program that could scale across the enterprise.
No Centralized Vendor Inventory
- Vendor information was scattered across departmental spreadsheets with no single source of truth
- No structured way to track vendor attributes like risk tier, contract status, or data handling practices
- Difficult to answer basic questions: How many vendors do we have? Which ones handle sensitive data?
Manual Assessment Processes
- Questionnaires were sent and tracked via email
- No standardized templates aligned to risk categories
- No visibility into assessment completion status or outstanding requests
Inconsistent Onboarding
- Business teams initiated vendor relationships through informal channels
- No intake process to capture critical information upfront
- Privacy and security teams often learned about new vendors after contracts were signed
No Lifecycle Governance
- No defined cadence for vendor reevaluation
- High-risk vendors received the same (minimal) oversight as low-risk ones
- No automated triggers to prompt reassessment when circumstances changed
Our Approach
We approached this engagement with a focus on building sustainable infrastructure, not just configuring a tool. A TPRM program only works if it fits into how the business actually onboards and manages vendors. Otherwise, people route around it.
The first step was developing the governance lifecycle with the client team. Before touching OneTrust, we needed to define what vendor risk management should look like: What triggers an assessment? Who reviews the results? What happens when a vendor fails to meet requirements? How often do we reassess? These decisions had to come from the business, not from a template.
From there, we mapped the governance model to OneTrust capabilities. The platform is powerful, but power without structure creates confusion. We designed workflows and configurations to enforce the lifecycle decisions the organization had made, so the system would guide users through the right process rather than leaving compliance to memory.
We also prioritized self-service. The privacy and procurement teams cannot be the bottleneck for every vendor request. By building a self-service intake portal, we gave business teams a structured way to initiate vendor onboarding while ensuring that critical information gets captured from the start.
Implementation
Vendor Inventory Migration
We bulk-imported the organization's existing vendor records into OneTrust, creating a centralized inventory that serves as the single source of truth. The import covered up to 100 vendors from client-provided spreadsheets, establishing the foundation for structured tracking. We configured up to 10 custom attributes to capture the specific data points the organization needs to track for its vendor population, including risk tiers, data handling categories, and contract metadata.
Assessment Questionnaire Configuration
We enabled up to three questionnaires tailored to the organization's needs, drawing from OneTrust's out-of-the-box templates and client-specific requirements. Different vendor types and risk levels warrant different levels of scrutiny. The configured questionnaires align assessment depth to actual risk, avoiding the trap of one-size-fits-all evaluations that either miss critical issues or waste time on low-risk relationships.
Self-Service Intake Portal
We configured the self-service portal with an intake questionnaire designed for business users to launch initial vendor onboarding requests. When someone in the organization wants to engage a new vendor, they now have a structured path to follow. The intake captures the information the privacy and procurement teams need to make informed decisions, and it creates a record from day one rather than after the fact.
Review Workflows and Automation
We developed vendor review workflows and configured the evaluation process within OneTrust. This includes up to two vendor workflows and a review workflow that routes assessments to the right reviewers based on defined criteria. Beyond initial assessments, we built automation rules to support ongoing vendor reevaluation. High-risk vendors get reassessed on a defined cadence. Changes in vendor status or contract terms can trigger fresh reviews. The system does the remembering so the team can focus on the evaluating.
Training and Knowledge Transfer
We provided end-user training and knowledge transfer to ensure the internal team can manage the program going forward. The goal is self-sufficiency: the organization should be able to launch assessments, review results, update configurations, and evolve the program without ongoing external support.
Results
Vendor Inventory
- Before: Scattered spreadsheets with no central source of truth
- After: Centralized OneTrust inventory with custom attributes and structured data
Assessment Process
- Before: Email-based questionnaires with manual tracking
- After: Configured questionnaires with automated workflows and status visibility
Vendor Onboarding
- Before: Informal requests through various channels
- After: Self-service intake portal with structured information capture
Review Workflows
- Before: Ad-hoc routing based on relationships
- After: Defined workflows routing assessments to appropriate reviewers
Lifecycle Management
- Before: No systematic reevaluation
- After: Automation rules triggering reassessment based on risk and timing
Governance Framework
- Before: Undefined processes
- After: Documented third party risk governance lifecycle
The organization now has the infrastructure to manage vendor risk at scale. Business teams have a clear path for vendor onboarding. Assessment questionnaires align to actual risk profiles. And automation ensures that reevaluation happens on schedule rather than when someone remembers to check.
The Bigger Picture
The challenge is rarely a lack of awareness that vendor risk matters. The challenge is building processes that scale across hundreds of relationships without creating bottlenecks that slow the business down.
By implementing OneTrust's Third Party Risk Management module with attention to governance design, self-service intake, and automation, we helped the organization move from spreadsheet-based tracking to a structured program that can grow with the vendor population. The privacy and procurement teams now have visibility and control. Business teams have a clear process to follow. And the infrastructure is in place to mature the program over time.
If your organization is managing vendor relationships through scattered spreadsheets and email chains, or if your risk assessments happen inconsistently because there is no system to enforce them, the question is how long that approach remains sustainable as your vendor ecosystem grows. If the answer is "not much longer," our team is ready to help.
