Over a sustained period, nearly every third party will eventually stop being a vendor—requirements change that the third‐party cannot perform, the vendor goes out of business, or any of the other countless reasons why a customer‐vendor relationship ends. When this happens, it's important to follow the proper steps for offboarding in order to protect your company's assets. The offboarding process is often missed by organizations for a variety of reasons. Systems of record or supplier managers may not notify a company of an impending cancellation of a vendor relationship, or the process might not be defined because many companies are focused more on the Intake and Ongoing steps of the due diligence. However, the steps to offboarding a vendor are equally important to ensure both due diligence of the security controls and due care of any data, assets, and connectivity risks.

Vendor offboarding is a process, from administrative, financial, and other systems of record, during which the vendor's relationship is officially ended with a company. However, their removal from the systems of record is not the goal. The vendor's records should remain inactive/closed in any system for a retention period to comply with any regulatory requirements. The ability to lower risk by following the offboarding process includes cutting off access, destruction of data, and the return of any company‐owned assets. There are additional steps for the Legal and Financial teams, but offboarding ...