Vendor Evaluation

workflow:vendor-evaluation

Workflowdomain/workflows/workflows-governance.yaml·Open in Graph →

{
  "id": "workflow:vendor-evaluation",
  "_kind": "Workflow",
  "_file": "domain/workflows/workflows-governance.yaml",
  "_cluster": "domain",
  "attributes": {
    "displayName": "Vendor Evaluation",
    "description": "On-demand governance workflow triggered when the organisation considers adopting a new\nthird-party vendor, software product, or managed service. A cross-functional evaluation\nteam including procurement, legal, security, and the sponsoring business unit assesses\nthe vendor against defined criteria covering capability fit, financial stability, security\nposture, compliance certifications, and contract terms. Security reviews the vendor's\nSOC 2 or equivalent reports, and legal negotiates acceptable data processing agreements.\nEvaluation results are documented in a vendor assessment report, a recommendation is\nmade, and the final decision is escalated to the appropriate approval authority. Approved\nvendors are onboarded into the vendor register.\n",
    "workflowKind": "governance",
    "triggerType": "on-demand",
    "typicalCadence": "per-vendor",
    "complexity": "moderate"
  },
  "outgoingEdges": [
    {
      "from": "workflow:vendor-evaluation",
      "to": "role:compliance-officer",
      "kind": "involves_role"
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "role:legal-counsel",
      "kind": "involves_role"
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "role:security-engineer",
      "kind": "involves_role"
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "role:partnerships-manager",
      "kind": "involves_role"
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "role:vp-engineering",
      "kind": "involves_role"
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "domain:cybersecurity",
      "kind": "applies_to_domain"
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "domain:infrastructure",
      "kind": "applies_to_domain"
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "responsibility:vendor-evaluation",
      "kind": "triggers_responsibility"
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "responsibility:risk-assessment",
      "kind": "triggers_responsibility"
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "responsibility:contract-negotiation",
      "kind": "triggers_responsibility"
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "responsibility:compliance-monitoring",
      "kind": "triggers_responsibility"
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "role:principal-engineer",
      "kind": "involves_role",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "role:engineering-manager",
      "kind": "involves_role",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "role:license-auditor",
      "kind": "involves_role",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "domain:platform-engineering",
      "kind": "applies_to_domain",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "domain:security",
      "kind": "applies_to_domain",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "responsibility:approve-architecture",
      "kind": "triggers_responsibility",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "org-unit:engineering",
      "kind": "performed_by_org_unit",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "org-unit:security-team",
      "kind": "performed_by_org_unit",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "org-unit:architecture-guild",
      "kind": "performed_by_org_unit",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "role:principal-engineer",
      "kind": "involves_role",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "role:engineering-manager",
      "kind": "involves_role",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "role:license-auditor",
      "kind": "involves_role",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "domain:platform-engineering",
      "kind": "applies_to_domain",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "domain:security",
      "kind": "applies_to_domain",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "responsibility:approve-architecture",
      "kind": "triggers_responsibility",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "org-unit:engineering",
      "kind": "performed_by_org_unit",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "org-unit:security-team",
      "kind": "performed_by_org_unit",
      "attributes": {}
    },
    {
      "from": "workflow:vendor-evaluation",
      "to": "org-unit:architecture-guild",
      "kind": "performed_by_org_unit",
      "attributes": {}
    }
  ],
  "incomingEdges": []
}

{ "id": "workflow:vendor-evaluation", "_kind": "Workflow", "_file": "domain/workflows/workflows-governance.yaml", "_cluster": "domain", "attributes": { "displayName": "Vendor Evaluation", "description": "On-demand governance workflow triggered when the organisation considers adopting a new\nthird-party vendor, software product, or managed service. A cross-functional evaluation\nteam including procurement, legal, security, and the sponsoring business unit assesses\nthe vendor against defined criteria covering capability fit, financial stability, security\nposture, compliance certifications, and contract terms. Security reviews the vendor's\nSOC 2 or equivalent reports, and legal negotiates acceptable data processing agreements.\nEvaluation results are documented in a vendor assessment report, a recommendation is\nmade, and the final decision is escalated to the appropriate approval authority. Approved\nvendors are onboarded into the vendor register.\n", "workflowKind": "governance", "triggerType": "on-demand", "typicalCadence": "per-vendor", "complexity": "moderate" }, "outgoingEdges": [ { "from": "workflow:vendor-evaluation", "to": "role:compliance-officer", "kind": "involves_role" }, { "from": "workflow:vendor-evaluation", "to": "role:legal-counsel", "kind": "involves_role" }, { "from": "workflow:vendor-evaluation", "to": "role:security-engineer", "kind": "involves_role" }, { "from": "workflow:vendor-evaluation", "to": "role:partnerships-manager", "kind": "involves_role" }, { "from": "workflow:vendor-evaluation", "to": "role:vp-engineering", "kind": "involves_role" }, { "from": "workflow:vendor-evaluation", "to": "domain:cybersecurity", "kind": "applies_to_domain" }, { "from": "workflow:vendor-evaluation", "to": "domain:infrastructure", "kind": "applies_to_domain" }, { "from": "workflow:vendor-evaluation", "to": "responsibility:vendor-evaluation", "kind": "triggers_responsibility" }, { "from": "workflow:vendor-evaluation", "to": "responsibility:risk-assessment", "kind": "triggers_responsibility" }, { "from": "workflow:vendor-evaluation", "to": "responsibility:contract-negotiation", "kind": "triggers_responsibility" }, { "from": "workflow:vendor-evaluation", "to": "responsibility:compliance-monitoring", "kind": "triggers_responsibility" }, { "from": "workflow:vendor-evaluation", "to": "role:principal-engineer", "kind": "involves_role", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "role:engineering-manager", "kind": "involves_role", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "role:license-auditor", "kind": "involves_role", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "domain:platform-engineering", "kind": "applies_to_domain", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "domain:security", "kind": "applies_to_domain", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "responsibility:approve-architecture", "kind": "triggers_responsibility", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "org-unit:engineering", "kind": "performed_by_org_unit", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "org-unit:security-team", "kind": "performed_by_org_unit", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "org-unit:architecture-guild", "kind": "performed_by_org_unit", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "role:principal-engineer", "kind": "involves_role", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "role:engineering-manager", "kind": "involves_role", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "role:license-auditor", "kind": "involves_role", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "domain:platform-engineering", "kind": "applies_to_domain", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "domain:security", "kind": "applies_to_domain", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "responsibility:approve-architecture", "kind": "triggers_responsibility", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "org-unit:engineering", "kind": "performed_by_org_unit", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "org-unit:security-team", "kind": "performed_by_org_unit", "attributes": {} }, { "from": "workflow:vendor-evaluation", "to": "org-unit:architecture-guild", "kind": "performed_by_org_unit", "attributes": {} } ], "incomingEdges": [] }