What is a supplier oversight?
A supplier oversight is the ongoing supervision of a supplier to ensure they follow the required compliance standards, based on the type of data they process and how critical it is.
Complychain provides a structured way to manage supplier oversights, including defining the oversight concept to follow, collecting documentation and registering any findings.
Types of supplier oversight
You can create supplier oversights in three ways:
Complychain managed: For the most common suppliers, you can select an existing oversight from Complychain’s oversight library. After connecting it, you will automatically be notified about new oversights and findings for that supplier.
Automatic oversight: Allows you to define which documentation you need and set up an external oversight platform, where the supplier can upload evidence and answer questions. This oversight type also supports a simple process for repeating the oversight continuously, without having to configure it again.
Manual oversight: A simple setup where you define the oversight and add tasks manually, including notifications and follow-up work.
Hint: The automatic option is recommended, as it gives you the most flexibility.
Step-by-step process
Create a supplier oversight
To create the oversight, you must:
1. Navigate to the Supplier Oversights module
2. Click on the + Create Oversight button
3. Select Subscribe to Complychain Oversight or Create your own Oversight
4. Select the supplier and define the scope
5. Click on the Create button in the drawer
Create the first version
When you have created the oversight, you must create the first version, which entails defining the details of the oversight.
Info: The following guide is based on the Automatic oversight type, as that is the most common and recommended approach.
Step 1. Configuration
In this step, you can configure the main settings:
Oversight type: Automatic or Manual (see previous section)
Deadline: When the oversight should be completed
Oversight frequency: How often the oversight should be repeated
Oversight language: Used for emails, evidence types and questionnaires
Responsible: Users or user groups responsible for the oversight
Step 2. Oversight Assessment
In this step, you choose the oversight concept. Complychain can recommend a concept based on official guidelines if GDPR or NIS2 applies. This recommendation is based on a few questions you answer in the setup.
Hint: You can also choose Custom and describe your own concept if you prefer to define it yourself.
Step 3. Security Evidence
In this step, you define which evidence the supplier must provide. You can require third-party evidence or self-declaration evidence. You can also add questionnaires with the questions that must be answered.
Hint: You can choose from common evidence types by default, or create your own under: Settings -> Configuration -> Supplier Oversight.
Step 4. Automatic Oversight
In the final step, you can:
Invite participants to upload evidence and answer the questionnaire
Configure the welcome dialog that appears in the external oversight platform
Set the initial email date, which starts the oversight
Configure email notifications for participants and responsible users
When you click on the Complete setup button, the oversight will change status from Not started to In progress. Furthermore, if the initial email date is set to the current date, the invited participants will be notified on email.
Hint: You can invite yourself to see a preview of the external oversight platform.
External oversight platform
Participants invited to an oversight can access the external oversight platform in Complychain. Here they can view the oversights they are part of and complete the required tasks.
When they open an oversight, they are guided through three simple steps.
1. Oversight Documentation
In the first step, you can upload the required documentation. The required types are shown, and one or more files can be added to each type.
2. Oversight Questions
In the second step, you can go through the questionnaire. A list of all questions is shown, and a filter helps you find unanswered questions.
3. Completion
When all evidence is uploaded and the questionnaire is completed, the participant can mark the oversight as done. The responsible users will then be notified.
