New from the Lab·The Compass — an open moral reasoning standard for AI, tested across frontier modelsExplore →
Production AI Institute · PSF v1.1 open standard
AI Right-To-KnowAI Data Use IndexCheck My AI ToolsPolicy Change WatchAgent ReadinessPublic BenchmarkContactGlobal standard · Worldwide
← Back to workflow library
Revenue & Growth

Procurement Intake with Vendor Risk Pre-Screen

New SaaS/AI vendors are approved without consistent risk controls.

Who this is for
Procurement leads, IT managers, legal/compliance teams.
Expected outcome
Every vendor request gets risk-scored and routed before approval.
Implementation Setup

Read this before touching tools

Named owners
  • Primary owner: Procurement leads
  • Approver: IT managers
  • Support owner: legal/compliance teams.
Pre-flight checks
  • Access and permissions confirmed for every app in the stack.
  • Approval and escalation paths documented before automation goes live.
  • Baseline KPI snapshot captured before first pilot run.
Stack Design

Recommended app stack

Start with the minimum viable stack that can run the process reliably. Expand only when controls, reporting, and ownership are stable.

Microsoft FormsAirtableOneTrustSlack
Stack rationale
  • Microsoft Forms: Structured intake to reduce ambiguous or missing inputs.
  • Airtable: Operational component in the workflow stack with explicit ownership and logging.
  • OneTrust: Operational component in the workflow stack with explicit ownership and logging.
  • Slack: Operational escalation channel with clear owner visibility.
Execution Plan

Step-by-step deployment playbook

Execute in order. Do not skip approval and verification gates even if steps look routine.

STEP 1Owner: Procurement leadsPrimary system: Microsoft Forms

Capture procurement intake through a mandatory form requiring business purpose, data categories touched, integration scope, vendor hosting regions, and renewal/lock-in constraints.

Quality gate: Evidence captured and approved before moving to step 2.
STEP 2Owner: Procurement leadsPrimary system: Airtable

Apply baseline risk scoring in Airtable using transparent weighted logic (sensitive data, customer impact, vendor dependency, security posture, and legal exposure).

Quality gate: Evidence captured and approved before moving to step 3.
STEP 3Owner: IT managersPrimary system: OneTrust

Automatically issue OneTrust questionnaires for medium/high risk requests and block status advancement until required evidence artifacts are submitted.

Quality gate: Evidence captured and approved before moving to step 4.
STEP 4Owner: IT managersPrimary system: Slack

Route legal, security, and data-protection approvals in sequence with SLA timers and mandatory disposition comments (approve, approve-with-conditions, reject).

Quality gate: Evidence captured and approved before moving to step 5.
STEP 5Owner: legal/compliance teams.Primary system: Microsoft Forms

Enforce a hard procurement gate: no PO or contract signature until all required controls are complete, exceptions are approved, and residual risk owner is named.

Quality gate: Evidence captured and approved before moving to step 6.
STEP 6Owner: legal/compliance teams.Primary system: Airtable

Run a monthly governance review by business unit for risk mix, approval latency, and exception volume, then tune scoring thresholds and required controls.

Quality gate: KPI movement for Time to risk decision is visible in weekly review.
Rollout Sequence

30-day implementation rhythm

Week 1
Baseline and scope lock
  • Freeze workflow scope, owner list, and approval checkpoints.
  • Capture baseline values for all listed KPIs.
  • Confirm tool access, permissions, and escalation channels.
Week 2
Pilot with control gates
  • Run workflow on a controlled subset of cases.
  • Log false positives/negatives and every manual override.
  • Hold end-of-week review with named owners before expansion.
Week 3
Expand and harden
  • Increase coverage to normal operating volume.
  • Tune thresholds/prompts/routing based on pilot evidence.
  • Confirm SLA adherence and escalation response quality.
Week 4
Operationalize
  • Publish the runbook and handover notes for ongoing operation.
  • Lock reporting cadence for KPI review and incident review.
  • Approve next optimization backlog from observed bottlenecks.
Risk and Control

Risk and failure modes

  • Bad or incomplete input data creates incorrect automations.
  • Unreviewed auto-generated outputs can trigger customer-facing errors.
  • Overly broad app permissions can expose sensitive data.
  • Missing observability makes failures invisible until damage occurs.

Controls to keep in place

  • Enforce mandatory intake fields and validation rules before execution.
  • Require human approval on high-risk outputs and policy exceptions.
  • Apply least-privilege access and review integrations quarterly.
  • Track KPI and exception dashboards weekly with named owners.
Standards Mapping

PSF alignment

  • D1 Input governance
  • D7 Security
  • D8 Vendor resilience

PAI-8 control mapping

  • C1 Intake controls
  • C7 Security checks
  • C8 Vendor risk governance
Performance Management

Track these KPIs from week one

  • Time to risk decision
  • Unassessed vendor count
  • Policy exception rate
Suggested target ranges
  • Time to risk decision: target 20-40% reduction in 60 days
  • Unassessed vendor count: define baseline in week one and improve by 10% in quarter one
  • Policy exception rate: target 10-25% uplift in 60 days
Implementation Assets

Downloadable artefact

Download implementation-ready premium files for operator runbooks, KPI tracking, executive reviews, and audit evidence.

Open toolkit templates →
  • implementation-runbook.docx (DOCX): Operator runbook with roles, triggers, and rollback steps.
  • kpi-and-risk-register.xlsx (XLSX): KPI baseline tracker plus risk/control register workbook.
  • exec-brief.pptx (PPTX): Executive implementation deck for internal/client briefings.
  • proof-brief.pdf (PDF): Portable evidence summary for governance and commercial review.
Evidence and Outcomes

Proof layer and expected outcomes

Teams that run this workflow with weekly control reviews typically see measurable improvements in cycle time, consistency, and exception handling within 30-60 days.

Establish a baseline first, then measure movement at week 4 and week 8 using the KPI set above.

  • Before rollout, teams report inconsistent execution for "new saas/ai vendors are approved without consistent risk controls.".
  • After 4-8 weeks, teams typically show stronger predictability against time to risk decision.
  • Where outcomes lag, the common cause is weak human approval discipline rather than automation capability.
Benchmark ranges
  • Time to risk decision: 20-40% improvement by week 8 in stable deployments.
  • Unassessed vendor count: establish week-1 baseline and target 10-15% quarter-one improvement.
  • Policy exception rate: 10-25% improvement by week 8 with weekly QA reviews.
Benchmark references
Proof case references
Tooling Trade-offs

Tool comparison guidance

Default to Power Automate where tenant governance, identity, and audit controls are mandatory. Use Zapier or Make for peripheral integrations where policy and data-classification rules allow.

Workflow-level operating trade-offs
  • Zapier: Fast delivery on simple, low-risk workflows with broad app connectors. Caution: Can become expensive/noisy at scale without strict task and error governance.
  • Make: Complex branching logic and data transformations with visual control. Caution: Requires stronger operational ownership to avoid brittle scenario sprawl.
  • Power Automate: Best fit for Microsoft 365-heavy environments and governance needs. Caution: Licensing and environment strategy must be planned to avoid hidden complexity.
Control Variants

Sector control variants

Function cluster: Revenue & Growth

  • MSP/IT: route high-severity outputs through a human incident commander before customer communication.
  • MSP/IT: maintain rollback-ready runbooks for every automation touching production services.
  • MSP/IT: enforce tenant and customer segmentation in logs, storage, and notification channels.
Related workflows →Deploy guides →Prove skills (CAOP) →Do it (templates) →PAI-8 standard →Implement in Studio →Get implementation help →
Related workflows
Vendor Onboarding with Security Questionnaire ScoringSupport Triage and Escalation LoopInvoice Exception Detection Before Approval
Function cluster navigation

This guide sits in Revenue & Growth. Use these links to move through related implementation patterns.

Marketing Content Repurposing EngineRFP Response Acceleration for MSPsCompliance Evidence Collection CadenceSaaS Churn Prevention with Intervention TriggersBrowse all workflow clusters →