How an Industry Leading Quick Service Restaurant Brand Speeds up Vendor Risk Management with OneTrust GRC
Download PDF

How an Industry Leading Quick Service Restaurant Brand Speeds up Vendor Risk Management with OneTrust GRC

Featured Image

Brewing Up the Need for Vendor Risk Management Technology

Speed is the essence of this industry leading quick service restaurant (QSR) brand, and in order to deliver for customers in the quickest, but most effective way possible, the company relies on third-party vendors, suppliers and business partners to support operations.

In line with any organization that works with third parties, it opens a company up to risk. If a vendor is handling data like personally identifiable information (PII) or payment card information (PCI), it’s imperative that we assess and continually monitor the security and privacy posture of this business partner to ensure they are respecting the sensitivity of our information
Manager of Risk Management
Industry Leading Quick Service Restaurant Brand

With more than 500 vendors on the corporate side of the organization, the QSR brand’s enterprise risk management team faced challenges in ensuring the correct internal stakeholders are not only involved in the initial vendor assessment and onboarding process, but also throughout annual reassessments and offboarding. To better understand where their vendor risk gaps are, the team interviewed internal business units to see how they manage their vendor relationships.

We found that each business unit was using a different version of a vendor management tracking mechanism like an Excel spreadsheet. The manual aspect of using a spreadsheet combined with the time-consuming nature of vendor risk assessments was ultimately pulling our employees away from their immediate priorities.
IT Risk and Compliance Analyst
Industry Leading Quick Service Restaurant Brand

After interviewing the privacy and information security teams, the enterprise risk management team recognized the need for a flexible technology solution with added automation to account for various regulations, standards, and frameworks.

Our Privacy Team mentioned they use OneTrust Privacy Management Software for Data Mapping and Assessment Automation and that while these solutions can support vendor risk management, the company also has dedicated vendor risk platform. After demoing the platform and realizing we would be able to link across multiple different OneTrust modules for a variety of privacy, security and trust operations, we realized OneTrust GRC’s Vendor Risk Management solution was the perfect fit.
Manager of Risk Management
Industry Leading Quick Service Restaurant Brand

Vendor Risk Management Fueled by OneTrust GRC

By implementing the OneTrust GRC Vendor Risk  Management solution, this QSR brand streamlined what once was a relatively decentralized assessment and due diligence process.

Time is of the essence in business, and by using OneTrust GRC we are focusing our efforts on the most critical pieces and higher risk areas while still completing all the necessary due diligence and risk mitigation steps to confidently demonstrate regulatory compliance.
Manager of Risk Management
Industry Leading Quick Service Restaurant Brand

The company created a customized vendor validation assessment for business stakeholders with OneTrust, gathering a complete and up-to-date inventory of all the vendors the business currently and previously used. This assessment is automatically sent to all business owners in the company to gather key data points –  whether that’s PII or PCI that a vendor holds. Then the enterprise risk management team works to risk rank each vendor from tier one to tier four based on regulatory and compliance requirements.

Once their existing vendors have been appropriately risk ranked, the QSR brand leverages the SIG for critical and high-risk vendors and the SIG Lite for low-to medium-risk vendors – both of which are preloaded in the Vendor Risk Management platform and distributed via assessment automation.

We like that OneTrust GRC’s Vendor Risk Management solution can track our vendors in one place and source information from each vendor on a periodic basis.
Manager of Risk Management
Industry Leading Quick Service Restaurant Brand

The QSR brand is currently using a customer relationship management (CRM) solution for their vendor contracts; however, it’s only being leveraged as a repository. Because of this, the enterprise risk management team has to manually research vendor contracts on a regular cadence for due-diligence purposes. The company is currently looking to change this operation.

One of the nice features we want to potentially work on building out in OneTrust GRC’s Vendor Risk Management solution is this contracts piece. If our company decides to continue using our existing platform for contracts, we will look to integrate OneTrust GRC and the CRM solution so that all pertinent contract information flows through to our vendor records within the platform. Once contract information is in OneTrust GRC, we’ll know exactly who the vendor contact and internal stakeholder is while also receiving automatic annual reassessment reminders that let us know we need to follow up on the vendor’s contract because it’s expiring or due for renewal.
Manager of Risk Management
Industry Leading Quick Service Restaurant Brand

The QSR brand also wants to add business owners to vendor risk management approval chains based on use case. For example, if a vendor supports the information technology department, the company wants to make sure that department is still actively engaged throughout the onboarding and assessment process. This added transparency is key as business owners can provide value by giving insight into the vendor relationship, as well as be an advocate throughout the assessment process. Ultimately, the business owner is invested in seeing the swift assessment and onboarding of a vendor because it is likely that the new tool or supplier will increase their team’s productivity.

We like working with OneTrust, not only because of the company’s ongoing innovation and support, but because they have challenged us to further streamline and automate our business processes.
IT Risk and Compliance Analyst
Industry Leading Quick Service Restaurant Brand