After discussing the CLM use case with various stakeholders and getting a better understanding of the product workflow capabilities within Ironclad, it occurred to us: we’ll be able to customize Ironclad to perform various vendor risk assessments all within the platform.
When most organizations think of Ironclad, they envision a robust contract lifecycle management (CLM) platform designed to streamline contracting workflows. And that’s exactly why Bay Area-based fintech company Plaid first implemented the platform, leveraging it to handle the complex lifecycles of a number of different contract types used across the organization. But as the legal team rolled Ironclad out, starting with non-disclosure agreements (NDAs), approving contracts and then expanding to more complex workflows as they realized efficiency gains, others began to take notice.
A TPRM tool in CLM clothing
As Plaid’s Security Governance, Risk, and Compliance (GRC) Lead, Kenneth Thomas Moras reviewed contracts often, evaluating their terms from a security standpoint. And post-Ironclad implementation, the contracts would make their way to him via Ironclad’s approval workflows. When he saw how easily customizable Ironclad’s capabilities actually were, he immediately recognized its untapped potential as a powerful third-party risk management (TPRM) tool.
Up until then, Moras and his team had been working in a sub-optimal manner to address vendor security reviews, relying on collaboration and project management platforms like JIRA and Slack while they searched for something more centralized and seamless. But even as they evaluated solution after solution, the centralization problem remained: their key stakeholders–legal, procurement, business users submitting requests–would still be primarily collaborating on another platform: Ironclad.
“After discussing the CLM use case with various stakeholders and getting a better understanding of the product workflow capabilities within Ironclad, it occurred to us: we’ll be able to customize Ironclad to perform various vendor risk assessments all within the platform,” said Moras.
So the GRC team got to work, leveraging Ironclad’s customizable workflow capabilities to enhance their vendor risk management processes. Here, Moras shares how they did it and why he believes Ironclad can revolutionize TPRM for any organization.
Creating a custom TPRM solution
To build customized workflows that could address what risk assessment requirements we had, we leaned on a few key features.
Streamlined approval workflows
The first was Ironclad’s ability to automatically add approvers to workflows based on the vendor use case. Depending on the specific business purpose of a vendor, the type of data they processed gained from the insights provided by our employees, subject matter experts (SMEs) from privacy, legal, security, and other relevant departments were seamlessly invited into the workflow. This ensured comprehensive risk assessments were conducted efficiently, with all necessary stakeholders involved from the outset.
Dynamic risk assessment forms
Ironclad’s powerful workflow management capabilities allowed us to trigger custom forms to vendors, gathering unique security and privacy insights. These forms were dynamically generated based on specific inputs from employees, such as processing sensitive employee data or customer personal information. This automation ensured that our risk assessments were thorough and targeted, without unnecessary manual intervention. This also reduced our need to manually reach out to vendors to collect necessary data like SOC2, Pentest reports etc and other specific signals that aided in our security and privacy diligence of vendors.
Tailored workflows for various vendor lifecycle stages
We developed separate workflows for new vendor onboarding, renewals, and terminations, each tailored to meet specific risk management needs. For new vendors, we implemented enhanced due diligence procedures. For renewals, we only escalated diligence if there was a material scope change, automatically notifying the security team if significant changes were detected. The termination workflow enabled us to send automated emails to vendors, instructing them to destroy our data, ensuring compliance and security.
Centralized communication and documentation
Ironclad’s email synchronization feature was particularly valuable. It allowed all responses from vendors’ responses on our specific inquiries and details regarding risk mitigation to remain within the workflow. This centralization of communication ensured that all relevant context was preserved, making it easier for teams to access and review critical information. The ability to CC the workflow email was a game-changer, enabling seamless collaboration across departments.
Custom fields and comprehensive reporting
We leveraged Ironclad’s custom fields to track vendors as high, medium, or low risk, providing us with a clear overview of our vendor risk landscape. The robust reporting capabilities allowed us to maintain a comprehensive repository of all vendors and relevant metadata we collected via employee inputs or responses to the dynamic forms in one place. This centralized data repository enhanced our ability to monitor and manage vendor risks effectively. We now have a robust vendor inventory which we can easily query. For example, we can look up who the security contact email for the vendor is, where the vendor stores data, what kind of data it is, and more.
The ROI of a customized TPRM solution
By expanding our usage of Ironclad to address TPRM, Plaid not only saved costs but also brought significant efficiencies to our risk management processes. The platform enabled seamless collaboration among legal, security, privacy, and business stakeholders, ensuring that vendor risks were fully assessed and managed. The improved alignment and communication reduced the likelihood of overlooked risks and enhanced the overall employee experience.
Ironclad CLM is often seen as a utility only for legal teams, but its capabilities extend far beyond. At Plaid, we demonstrated that with clever deployment and customization, Ironclad can also serve as a powerful TPRM solution, offering substantial ROI. Organizations that recognize and harness this potential can achieve greater efficiencies, improved risk management, and a more cohesive stakeholder collaboration. If you’re looking to enhance your TPRM processes, consider exploring how Ironclad can be tailored to meet your needs.
Unlock the full potential of Ironclad, and transform your third-party risk management today.