Vendor Selection and Onboarding
Vendor selection establishes technology partnerships that shape organisational capability for years. This task covers the complete acquisition cycle: defining requirements, identifying candidates, conducting evaluations, negotiating contracts, and onboarding selected vendors into operational use. The procedures apply to software purchases, managed services, implementation partners, and cloud platform subscriptions.
Prerequisites
| Requirement | Detail |
|---|---|
| Business requirements | Documented functional and non-functional requirements approved by stakeholders |
| Budget approval | Confirmed funding allocation with procurement reference number |
| Authority | Delegated purchasing authority for the value threshold (check organisational limits) |
| Procurement involvement | Procurement team notified for purchases exceeding £10,000 |
| Timeline | Minimum 8 weeks for standard procurement; 16 weeks for complex or high-value |
| Security questionnaire | Current version of organisational security assessment template |
| Stakeholders identified | Business owner, technical lead, finance contact, and procurement contact named |
Gather the following information before beginning vendor identification:
Requirements document location: [SharePoint/Drive path]Budget code: [Cost centre and project code]Procurement contact: [Name and email]Target go-live date: [Date]Contract duration needed: [Initial term + renewal options]Data classification: [Public/Internal/Confidential/Restricted]Value thresholds
Purchases exceeding £25,000 require competitive tendering in most jurisdictions. Purchases exceeding £50,000 require formal RFP and evaluation committee. Verify your organisational thresholds before proceeding.
Procedure
Phase 1: Requirements definition
Translate business needs into evaluation criteria by categorising requirements as mandatory (must-have for consideration), important (weighted heavily in scoring), or desirable (differentiators between similar options). A grants management system procurement might yield 8 mandatory requirements (multi-currency support, donor reporting templates, IATI export), 12 important requirements (offline capability, custom fields, API access), and 15 desirable requirements (mobile app, AI-assisted matching, built-in analytics).
Establish weighting for scored criteria. Distribute 100 points across evaluation categories based on organisational priorities:
Example weighting for case management system:
Functional fit: 30 points Security and compliance: 25 points Total cost of ownership: 20 points Implementation approach: 15 points Vendor viability: 10 points -------------------------------- Total: 100 pointsSecurity weighting increases to 30-35 points for systems handling protection data or operating in high-risk contexts. Cost weighting decreases to 10-15 points when donor funding covers the purchase with minimal organisational contribution.
Define technical requirements including integration needs, data migration scope, performance thresholds, and infrastructure constraints. Specify API requirements (REST, authentication method, rate limits), supported identity providers, data residency requirements, and browser/device compatibility. Field deployments require explicit offline capability and bandwidth consumption specifications.
Document compliance requirements applicable to the procurement: GDPR for personal data processing, sector-specific regulations, donor requirements (USAID, FCDO, EU contractual terms), and accessibility standards (WCAG 2.1 AA minimum). Create a compliance matrix mapping requirements to evidence needed from vendors.
Phase 2: Market research and vendor identification
Conduct market research to identify candidate vendors. Sources include sector benchmarks, peer organisation recommendations, analyst reports (Gartner, Forrester for enterprise; sector-specific for humanitarian technology), and technology communities. The benchmarks collection provides comparative analysis for common system categories.
Create a long list of 8-15 potential vendors meeting basic criteria. For each vendor, record:
Vendor name: Product name and version: Deployment model: [SaaS/Self-hosted/Hybrid] Headquarters jurisdiction: Data centre locations: Nonprofit programme: [Yes/No, discount percentage] Estimated annual cost: Reference customers in sector: Initial assessment: [Proceed to RFI / Exclude] Exclusion reason (if applicable):Apply initial filters to reduce the long list to 5-8 vendors for detailed evaluation. Exclude vendors that fail mandatory requirements, lack presence in your operating regions, have concerning financial stability indicators, or cannot meet compliance requirements. Document exclusion rationale for audit purposes.
Issue a Request for Information (RFI) for procurements under £50,000 where requirements are well-understood, or proceed directly to RFP for complex procurements. The RFI requests capability confirmation, pricing indication, and reference customers without requiring detailed proposals. Allow 2 weeks for RFI responses.
Phase 3: Formal evaluation
- Develop the Request for Proposal (RFP) document containing organisational background (without sensitive operational details), detailed requirements organised by category, pricing template requiring itemised costs, security questionnaire, compliance attestation requirements, evaluation criteria and weightings, submission instructions, and timeline. Standard RFP length runs 15-30 pages excluding appendices.
RFP structure:
1. Introduction and background (2 pages) 2. Scope of work (3-5 pages) 3. Functional requirements (5-10 pages) 4. Technical requirements (3-5 pages) 5. Security and compliance requirements (2-3 pages) 6. Pricing template (appendix) 7. Security questionnaire (appendix) 8. Terms and conditions (appendix) 9. Submission instructions (1 page)Distribute the RFP to shortlisted vendors with 3-4 week response window. Establish a single point of contact for vendor questions and distribute anonymised Q&A to all participants. Prohibit direct contact between vendors and stakeholders outside the formal process to maintain fairness.
Receive and log proposals. Verify completeness against submission requirements before scoring. Proposals missing mandatory elements (security questionnaire, pricing breakdown, compliance attestations) receive one opportunity to remedy within 48 hours; continued non-compliance results in disqualification.
Conduct initial scoring using the evaluation matrix. Each evaluator scores independently before group discussion. For a five-person evaluation committee scoring five vendors across five categories:
Scoring matrix example (partial):
Category: Functional Fit (30 points max)
Vendor A Vendor B Vendor C Vendor D Vendor E Evaluator 1: 24 28 22 26 20 Evaluator 2: 26 27 24 25 21 Evaluator 3: 23 29 21 27 19 Evaluator 4: 25 26 23 24 22 Evaluator 5: 24 28 22 26 20 -------------------------------------------------------- Average: 24.4 27.6 22.4 25.6 20.4Repeat for each category, then sum category averages for total scores.
- Conduct vendor demonstrations for the top 3 scoring vendors. Structure demonstrations around predefined scenarios reflecting actual use cases rather than allowing vendor-led presentations. A 90-minute demonstration might allocate 15 minutes for scenario setup, 60 minutes for scenario execution, and 15 minutes for evaluator questions. Record demonstrations (with vendor consent) for absent committee members.
Sample demonstration scenarios for M&E platform:
Scenario 1: Project setup (15 min) - Create new project with logical framework - Configure custom indicators - Set up data collection schedule
Scenario 2: Field data collection (20 min) - Create mobile form with skip logic - Demonstrate offline data entry - Show synchronisation process
Scenario 3: Reporting (15 min) - Generate donor report from template - Create custom dashboard - Export data in multiple formats
Scenario 4: Administration (10 min) - User provisioning and roles - Audit log review - Integration configuration- Conduct reference checks for the top 2 vendors. Request 3 reference contacts per vendor, including at least one organisation of similar size and one in the same sector. Prepare standardised questions covering implementation experience, ongoing support quality, hidden costs encountered, and whether they would select the vendor again. Reference calls typically run 30-45 minutes.
Phase 4: Security assessment
Submit the organisational security questionnaire to finalist vendors. The questionnaire covers data handling practices, access controls, encryption standards, incident response capabilities, compliance certifications, and subprocessor management. Allow 2 weeks for detailed responses. Vendors unable to complete security questionnaires within reasonable timeframes demonstrate concerning operational maturity.
Review security questionnaire responses against organisational requirements. Score each domain and identify gaps requiring mitigation or contractual provisions:
Security assessment domains:
Domain Weight Vendor A Vendor B ----------------------------------------------------------------- Data encryption (transit/rest) 15% 14/15 12/15 Access control and auth 15% 13/15 15/15 Infrastructure security 15% 12/15 14/15 Incident response 10% 8/10 9/10 Business continuity 10% 9/10 8/10 Compliance certifications 10% 10/10 7/10 Subprocessor management 10% 8/10 9/10 Vulnerability management 10% 9/10 8/10 Physical security 5% 5/5 4/5 ----------------------------------------------------------------- Total 100% 88/100 86/100Request evidence for critical security claims. SOC 2 Type II reports, ISO 27001 certificates, penetration test summaries (within 12 months), and data processing agreements require verification rather than vendor attestation alone. Vendors should provide these documents under NDA within 1 week of request.
Conduct technical security review for high-risk deployments. This includes architecture review, API security assessment, and authentication integration testing. For SaaS platforms handling confidential or restricted data, request a meeting with the vendor’s security team to discuss architecture and controls.
Phase 5: Commercial negotiation
Request best and final offers (BAFO) from the top 2 vendors following demonstrations and reference checks. The BAFO request specifies areas where improved terms are sought: pricing, payment terms, service levels, implementation support, or contractual provisions. Allow 1 week for BAFO responses.
Analyse total cost of ownership (TCO) across a 3-year or 5-year period. TCO extends beyond licence fees to include implementation, training, integration development, ongoing support, infrastructure (for self-hosted), and staff time for administration. A worked example for a CRM implementation:
3-year TCO calculation:
Year 1: Licence fees (50 users × £40/month × 12) £24,000 Implementation services £35,000 Data migration £8,000 Integration development (2 systems) £12,000 Training (3 days × £1,500) £4,500 Internal project management (0.3 FTE) £18,000 Year 1 subtotal: £101,500
Year 2: Licence fees £24,000 Support and maintenance £4,800 Additional training £1,500 Internal administration (0.1 FTE) £6,000 Year 2 subtotal: £36,300
Year 3: Licence fees (10% increase) £26,400 Support and maintenance £5,280 Internal administration (0.1 FTE) £6,000 Year 3 subtotal: £37,680
3-year TCO: £175,480Negotiate contract terms addressing identified risks. Key negotiation points include service level commitments with remedies, data handling and exit provisions, liability limitations, price increase caps for renewals, and intellectual property rights for customisations. Organisations with limited negotiating leverage (small contract value, commodity product) focus negotiations on data exit provisions and liability rather than pricing.
Coordinate legal review for contracts exceeding £25,000 or involving personal data processing. Legal review examines limitation of liability clauses, indemnification provisions, governing law and jurisdiction, termination rights, and data protection compliance. Allow 2 weeks for legal review and 1-2 rounds of negotiation.
Execute a data processing agreement (DPA) for any vendor processing personal data on the organisation’s behalf. The DPA specifies data processing purposes, retention periods, subprocessor approval requirements, data subject rights support, breach notification timelines (24 hours recommended, 72 hours maximum), and audit rights. Standard contractual clauses apply for international transfers.
Phase 6: Contract execution and onboarding
Obtain final approvals according to organisational delegation of authority. Approvals typically require business owner sign-off, IT endorsement, finance confirmation of budget, legal clearance (if reviewed), and executive approval for contracts exceeding defined thresholds. Route through procurement for purchase order generation.
Execute the contract following organisational signing procedures. Retain executed copies in the contract management system with metadata including contract value, term, renewal date, notice period, and responsible owner. Set calendar reminders for renewal review 90 days before expiry.
Conduct vendor onboarding kickoff meeting within 2 weeks of contract execution. The kickoff establishes project governance, confirms implementation timeline, identifies vendor and organisational contacts, and reviews immediate next steps. Document meeting outcomes and circulate within 48 hours.
Kickoff meeting agenda:
1. Introductions and roles (15 min) 2. Project objectives and success criteria (15 min) 3. Implementation approach and timeline (30 min) 4. Technical requirements review (20 min) 5. Communication and governance (15 min) 6. Immediate next steps and actions (15 min)
Attendees: - Organisation: Project manager, technical lead, business owner - Vendor: Account manager, implementation lead, technical contactEstablish vendor access to organisational systems as required for implementation. Create vendor accounts in identity provider with appropriate access scope and time limits. Vendor accounts expire automatically at implementation end date unless explicitly extended. Monitor vendor access activity through standard audit processes.
Integrate vendor into organisational processes including change management (vendor changes follow standard CAB process), incident management (vendor support contact added to escalation matrix), and contract management (vendor added to renewal tracking). Update the service catalogue to reflect the new service.
Document vendor details in the vendor register:
Vendor register entry:
Vendor name: Contract reference: Primary contact: Support contact: Escalation contact: Contract value (annual): Contract term: Renewal date: Notice period: Data classification: DPA reference: Security assessment date: Business owner: Technical owner:- Schedule post-implementation review for 3 months after go-live. The review assesses implementation success against objectives, vendor performance, lessons learned, and any outstanding issues requiring resolution. Document review outcomes and update vendor performance records.
Verification
Confirm successful vendor selection and onboarding by verifying:
Selection process completion:
- Evaluation matrix completed with scores from all committee members
- Security assessment documented with identified gaps and mitigations
- Reference checks completed and documented for selected vendor
- BAFO received and TCO analysis completed
- Legal review completed (if applicable)
- All required approvals obtained
Contract execution:
- Signed contract filed in contract management system
- Data processing agreement executed (if personal data involved)
- Purchase order raised and confirmed
- Renewal reminder set for 90 days before contract end
Vendor onboarding:
- Kickoff meeting held with documented outcomes
- Vendor contacts added to escalation matrix
- Vendor accounts created with appropriate access and expiry
- Vendor added to renewal tracking
- Service catalogue updated
Run the following verification query against your vendor register:
SELECT vendor_name, contract_reference, dpa_reference, security_assessment_date, renewal_dateFROM vendor_registerWHERE vendor_name = '[New vendor name]'AND contract_reference IS NOT NULLAND (data_classification = 'Public' OR dpa_reference IS NOT NULL)AND security_assessment_date > DATEADD(year, -1, GETDATE());A complete record returns one row with all fields populated. Missing DPA reference for vendors handling personal data indicates incomplete onboarding.
Troubleshooting
| Symptom | Cause | Resolution |
|---|---|---|
| No vendors meet mandatory requirements | Requirements too restrictive or market immature | Review requirements with stakeholders; distinguish true mandatory requirements from preferences; consider phased implementation addressing gaps |
| All vendors score similarly | Evaluation criteria insufficiently differentiating | Add granularity to scoring rubric; increase weight on most critical criteria; add demonstration scenarios testing edge cases |
| Vendor unwilling to complete security questionnaire | Questionnaire too onerous or vendor lacks security maturity | Offer call to discuss questionnaire; accept alternative evidence (SOC 2 report); treat refusal as disqualifying for sensitive data systems |
| Reference checks return negative feedback | Previous implementation issues or customer dissatisfaction | Probe for specifics; assess whether issues are vendor-systemic or context-specific; request additional references; weight feedback appropriately in final decision |
| Pricing significantly exceeds budget | Budget underestimated or scope expanded | Review scope for reduction opportunities; negotiate phased implementation; explore alternative products; request additional budget with justification |
| Legal review delays contract execution | Complex terms or non-standard provisions | Engage legal early in process; use vendor’s standard terms where acceptable; escalate specific blocking issues rather than full contract review |
| Vendor requests direct stakeholder contact during evaluation | Attempt to circumvent formal process | Remind vendor of process rules; document violation; assess whether behaviour indicates future partnership concerns |
| TCO analysis reveals hidden costs | Incomplete vendor pricing or undisclosed dependencies | Request itemised pricing breakdown; ask directly about common cost areas (training, support tiers, API access, storage); update requirements to mandate transparent pricing |
| Winning vendor has concerning jurisdiction | Data sovereignty or regulatory conflict | Assess actual risk based on data types; explore regional deployment options; implement additional contractual protections; consider runner-up vendor |
| Implementation timeline incompatible with project needs | Vendor capacity constraints or underestimated complexity | Negotiate resource commitment contractually; adjust organisational timeline; assess whether delay indicates vendor capability concerns |
| Vendor lacks nonprofit pricing programme | No formal programme or organisation ineligible | Request ad-hoc discount based on mission; compare against vendors with programmes; document cost differential for donor justification |
| Security assessment identifies critical gaps | Vendor security maturity insufficient | Request vendor remediation commitment with timeline; implement compensating controls; consider whether gaps are acceptable given data sensitivity |
| Contract negotiations stall on liability terms | Misaligned risk appetite | Escalate to senior stakeholders; consider accepting standard terms for lower-value contracts; implement additional insurance if needed |
| Vendor accounts remain active after implementation | Expired accounts not removed | Configure automatic account expiry; add vendor account review to implementation closure checklist; audit vendor access quarterly |
| Post-implementation issues not addressed | Unclear ownership or vendor non-response | Invoke contractual SLAs; escalate through account management; document issues for renewal decision |
Evaluation criteria matrix
The following matrix provides a starting template. Adjust weightings based on procurement priorities.
+------------------------------------------------------------------+| EVALUATION CRITERIA MATRIX |+------------------------------------------------------------------+| || CATEGORY WEIGHT COMPONENTS || ----------------------------------------------------------------|| Functional Fit 30% Requirements coverage || Workflow alignment || Reporting capabilities || Customisation options || || Security/Compliance 25% Security questionnaire score || Certifications held || Data handling practices || Compliance attestations || || Total Cost 20% Licence/subscription fees || Implementation costs || Ongoing support costs || Internal resource costs || || Implementation 15% Methodology and timeline || Migration approach || Training programme || Reference implementation success || || Vendor Viability 10% Financial stability || Market presence || Sector experience || Support capability || |+------------------------------------------------------------------+| || SCORING SCALE: || 5 = Exceeds requirements || 4 = Fully meets requirements || 3 = Partially meets requirements || 2 = Significant gaps || 1 = Does not meet requirements || 0 = No response / Unable to assess || || WEIGHTED SCORE = (Raw Score / 5) × Category Weight × 100 || |+------------------------------------------------------------------+Figure 1: Evaluation criteria matrix template with standard weightings
Selection workflow
+----------------------------------------------------------------+| VENDOR SELECTION WORKFLOW |+----------------------------------------------------------------+ | v +----------+----------+ | Requirements | | Definition | | (Week 1-2) | +----------+----------+ | v +----------+----------+ | Market Research | | Long List | | (Week 2-3) | +----------+----------+ | v +----------+----------+ | Initial Filter | | Short List (5-8) | | (Week 3) | +----------+----------+ | +---------------+---------------+ | | v v +---------+---------+ +---------+---------+ | < £50k | | > £50k | | Issue RFI | | Issue RFP | | (Week 4-5) | | (Week 4-7) | +---------+---------+ +---------+---------+ | | +---------------+---------------+ | v +----------+----------+ | Evaluation | | Scoring | | (Week 6-8) | +----------+----------+ | v +----------+----------+ | Demonstrations | | Top 3 vendors | | (Week 8-9) | +----------+----------+ | v +----------+----------+ | Security | | Assessment | | (Week 9-11) | +----------+----------+ | v +----------+----------+ | Reference | | Checks | | (Week 10-11) | +----------+----------+ | v +----------+----------+ | BAFO and | | TCO Analysis | | (Week 11-12) | +----------+----------+ | v +----------+----------+ | Negotiation | | Legal Review | | (Week 12-14) | +----------+----------+ | v +----------+----------+ | Approvals and | | Contract Execution | | (Week 14-16) | +----------+----------+ | v +----------+----------+ | Vendor | | Onboarding | | (Week 16-18) | +----------+----------+ | v [COMPLETE]Figure 2: Vendor selection workflow with indicative timeline for complex procurement
Onboarding checklist
+-------------------------------------------------------------------+| VENDOR ONBOARDING CHECKLIST |+-------------------------------------------------------------------+| || CONTRACT ADMINISTRATION Status || -----------------------------------------------------------------|| [ ] Signed contract filed in contract system _______ || [ ] DPA executed (if personal data) _______ || [ ] Purchase order raised _______ || [ ] Payment terms configured _______ || [ ] Renewal reminder set (90 days before expiry) _______ || || VENDOR REGISTER Status || -----------------------------------------------------------------|| [ ] Vendor entry created _______ || [ ] Primary contact recorded _______ || [ ] Support contact recorded _______ || [ ] Escalation path documented _______ || [ ] Business owner assigned _______ || [ ] Technical owner assigned _______ || || ACCESS AND INTEGRATION Status || -----------------------------------------------------------------|| [ ] Vendor accounts created in IdP _______ || [ ] Account expiry dates configured _______ || [ ] Access scope appropriate to role _______ || [ ] MFA enforced on vendor accounts _______ || [ ] NDA on file (if access to confidential data) _______ || || OPERATIONAL INTEGRATION Status || -----------------------------------------------------------------|| [ ] Vendor added to escalation matrix _______ || [ ] Service catalogue updated _______ || [ ] Change management process communicated _______ || [ ] Support hours and SLAs documented _______ || [ ] Incident reporting procedure agreed _______ || || PROJECT INITIATION Status || -----------------------------------------------------------------|| [ ] Kickoff meeting completed _______ || [ ] Project plan agreed _______ || [ ] Communication schedule established _______ || [ ] Success criteria documented _______ || [ ] Post-implementation review scheduled _______ || |+-------------------------------------------------------------------+Figure 3: Vendor onboarding checklist
Variants
Simplified procurement for low-value purchases
Purchases under £10,000 follow a streamlined process: documented requirements, 3 vendor quotes, selection justification, and standard terms acceptance. The full RFP process is disproportionate for low-value purchases. Maintain security assessment requirements regardless of value for any vendor accessing organisational systems or data.
Emergency procurement
Urgent operational needs permit truncated timelines with documented justification. Emergency procurement compresses the 16-week timeline to 2-4 weeks by limiting vendor evaluation to 2-3 known providers, accepting vendor standard terms, and deferring detailed security assessment until post-implementation (with compensating controls in place). Document the emergency justification and conduct full security assessment within 90 days.
Donor-mandated vendors
Some grants specify particular vendors or platforms. When donor requirements constrain vendor selection, document the requirement source, conduct security assessment regardless, and negotiate data processing terms appropriate to organisational requirements. The vendor mandate removes selection discretion but not responsibility for security and compliance.