Introduction

Parakeet Risk’s supplier portal streamlines third‑party onboarding and monitoring for industrial teams. From intake and auto‑tiering to SIG questionnaires, pluggable screenings, approvals with SLAs, and ERP/S2P sync, it turns vendor risk into a repeatable, auditable workflow—so you can stop managing paperwork and start managing risk.

End‑to‑end workflow at a glance

1. Intake: suppliers complete a guided form with validation and evidence upload.

2. Auto‑tiering: Rosella AI Agent and rules determine risk tier and scope.

3. Questionnaires: dynamic packs (e.g., SIG Lite/Core) plus domain‑specific sections (EHS, Quality, Pharma).

4. Pluggable checks: sanctions/PEP, identity, and bank verifications execute automatically.

5. Approvals: routed to the right owners with SLA tracking and escalation.

6. Sync: status, master data, certifications, and risk scores sync to SRM/S2P and ERP.

7. Continuous monitoring: expirations, incidents, and regulatory changes trigger updates and tasks.

Supplier intake forms

Design intake once, reuse everywhere. Forms can be public, invite‑only, or embedded on your site. See related supplier intake forms.

Sample fields (extensible):

• Company profile: legal name, DBA, registration number, country, website, primary contact.

• Ownership & UBO: owners (>25%), UBO attestations, government ownership flags.

• Scope of work: categories (direct material, logistics, contract manufacturing, lab/testing, maintenance), data/system access, site locations.

• Certifications: ISO 9001/14001/45001, GMP, GDP; issue/expiry dates; file upload.

• Quality & traceability: lot/batch controls, recalls history, complaint handling procedure.

• EHS: incident rates, SDS availability, permits/waste transport IDs.

• Security & privacy: network access, OT/IT segregation, PHI/PII handling, encryption at rest/in transit.

• Insurance & banking: COI limits, insured parties, bank account details (IBAN/SWIFT or ACH), bank letter.

• Compliance attestations: code of conduct, anti‑bribery, conflict minerals, forced labor, FDA/EMA if applicable.

Validation rules (examples):

• Required: legal name, country, primary contact email.

• Format: email RFC‑compliant; tax/VAT by country pattern; IBAN/SWIFT checksum where applicable.

• Cross‑field: if “access to facilities = yes,” require EHS section; if “handles personal data = yes,” require privacy addendum; if “critical component = yes,” require ISO 9001 and COA policy upload.

• Evidence: certificate files must be PDF/PNG/JPG, <= 25 MB, include issue/expiry dates.

• Duplicate prevention: fuzzy match on legal name + registration number to avoid duplicate vendor records.

Auto‑tiering and scoping

Combine Rosella AI insights with deterministic rules to classify supplier criticality and right‑size due diligence.

Example rules:

• Tier 1 (Critical): direct materials, contract manufacturing, or regulated data access; annual spend > threshold; incident history in last 12 months.

• Tier 2 (High): indirect with operational impact (MRO, logistics), site access, or system APIs.

• Tier 3 (Standard): low‑impact services with no site/system access.

• Tier 4 (Basic): low spend, short‑term, no data or site access.

Notes: tiers, artifacts, and SLAs are fully configurable.

Questionnaires and evidence

• Standards support: use industry‑standard SIG questionnaires (SIG Lite and SIG Core/Full) with smart scoping.

• Domain add‑ons: EHS incidents, GMP/GDP controls, packaging/labeling compliance, OT security.

• Spreadsheet synergy: preserve existing Excel‑based templates while adding workflow, validation, and audit trails—no retraining required.

• Evidence management: versioning, side‑by‑side diffs, renewal reminders, and linkage to specific controls and risks.

• Audit readiness: every answer and file is time‑stamped with submitter identity; generate an evidence packet on demand.

For hands‑on guidance, see the SIG questionnaire how‑to.

Retailer portals and packaging submissions

Purpose-built for consumer goods and packaging teams, Parakeet Risk streamlines retailer/data‑pool submissions with a repeatable, auditable flow that reuses supplier intake data.

Six‑step flow: 1) Intake: capture SKU and packaging attributes (GTIN/UPC, brand, net contents, dimensions/weights, materials, allergens, warnings). 2) Validation: run rules on GTIN/UPC format, unit conversions, claims/warnings, hazardous flags, and completeness; map regulatory scope (EPR markets, REACH SVHC prompts, SCIP fields). 3) Dossier build: assemble a submission packet (spec sheet, compliance matrix, label proofs/artwork, certificates/attestations, SDS if applicable). 4) Submission: generate portal‑ready templates/attachments and submit; track per‑channel status and timestamps. 5) Feedback loop: log comments/change requests, route fixes to owners (artwork, regulatory, quality), and resubmit deltas only. 6) Lifecycle: version control, effective‑date scheduling, periodic renewals, and automatic re‑submission on formula/pack changes or regulation updates.

Typical artifacts checklist (configurable):

• Product identifiers and pack data: GTIN/UPC, brand, hierarchy (each/inner/case/pallet), dimensions/weights, net content/serving size.

• Label proofs: primary/secondary packaging artwork, required warnings/statements, language coverage.

• Materials and composition: packaging components and percentages, recyclability markings, disposal instructions.

• EPR: producer registration numbers by market and fee category mapping.

• REACH/SCIP: SVHC declaration and SCIP dossier ID where required.

• Safety and quality: SDS (if hazardous), certificates of conformity/attestation, ISO 9001/14001 where applicable.

• Commercial/regulatory: country of origin, shelf life/expiry/lot coding, allergen and nutrition statements (if applicable).

Automation and governance:

• Reuse supplier intake answers and evidence to prefill submissions and reduce rework.

• Role‑based routing (Regulatory, Packaging, Quality, Legal) with SLAs and escalations.

• Full audit trail of versions, submissions, approvals, and retailer feedback, with exportable evidence packets.

Pluggable verification checks

Plug in the checks you need; switch providers without redesigning forms. Parakeet Risk orchestrates checks and records outcomes in the audit trail.

• Sanctions & PEP screening: screen company, principals, and UBOs against applicable watchlists.

• Identity verification: validate company registration and key individuals where required.

• Bank verification: confirm account ownership and match legal entity to account name.

• Certification verification: validate ISO/GMP certificate status and expiry.

• Result handling: soft/hard fails, auto‑escalations, and conditional questions based on hits.

Approvals and SLA metrics

• Routing: serial or parallel approvals by category (EHS, Quality, Security, Procurement, Legal, Finance).

• SLA tracking: timers per stage, auto‑reminders, business‑day calendars, and heat‑maps of bottlenecks.

• Dashboards: cycle time by tier/supplier type, first‑time‑right rate, rework drivers, ROI metrics (e.g., audit prep hours saved).

• Tasks where teams work: push approvals and reminders into tools like Trello to keep operations moving.

• Exception handling: raise risk acceptances, temporary waivers, or remediation plans with expiry; all changes require rationale and approver sign‑off.

Supplier portal experience and communications

• Tokenized intake links: Send invite-only, tokenized links for secure submissions (or use public/embedded forms). Each submission is bound to the invite and supplier email for traceability.

• Inherent-risk capture: A short pre-screen (spend band, data/site access, material criticality, geography) informs auto-tiering and scopes required controls.

• Dynamic document checklist: Based on tier and scope, suppliers see a checklist (certifications, COI, bank letter, policies) with due dates, required formats, and percentage-complete progress.

• SLA visibility: Suppliers see current stage, SLA target, elapsed time, and next action. Late items auto-remind and escalate per your business rules.

• Status & messaging: Suppliers track status (Submitted, In Review, Action Needed, Approved/Blocked) and respond in a threaded message center. Reviewers can request clarification, cite a specific question/artifact, and return items for revision without restarting intake.

• Change requests: If scope changes (e.g., new site access), trigger incremental questions and new checklist items; prior approvals remain intact.

Dynamic routing by tier

• Route by risk tier and domain owners (EHS, Quality, Security, Procurement, Finance, Legal). Tier 1 can require parallel approvals; lower tiers can auto-approve on clean checks.

• Conditional reviewers: Add approvers when certain answers are present (e.g., PHI/PII handling adds Privacy review).

• Reopen on events: Expirations or incidents can reopen approvals with targeted tasks.

Sync patterns and audit logs

• ERP/S2P sync patterns: Create/update vendors, push approval status and risk tier, block on expired certifications, and post tasks back to SRM/S2P. See S2P patterns.

• Idempotent updates: Map supplier IDs and avoid duplicates with fuzzy matching and deterministic keys.

• Complete audit log: Token issuance, submissions, messages, clarification requests, resubmissions, checks, and approvals are captured with timestamps, actors, and rationale.

• Program design resources: For operating models and control sets, visit the TPRM hub.

ERP/S2P and QMS sync

Keep source‑of‑truth systems in lockstep. See SRM/S2P integrations.

• Bi‑directional sync: supplier master data, approval status, risk tier/score, and certificate expirations.

• Triggered updates: upon approval, create/update supplier in ERP; upon certificate expiry, post tasks or blocks in SRM/S2P.

• Quality and GMP alignment: link to QMS records for deviations, CAPAs, and audit findings.

• Material traceability: optional linkage of approved suppliers to BOMs and batches for recall readiness.

Audit trail, retention, and integrity

• Immutable timeline: every form change, check result, comment, and approval is time‑stamped with user, role, and IP/device metadata.

• Evidence retention: configurable by tier and artifact type; legal holds preserve records during investigations.

• E‑signatures and attestations: maintain signed attestations for policies and codes of conduct.

• Data integrity: supports practices aligned with standards used in regulated environments (e.g., 21 CFR Part 11) and helps safeguard sensitive information.

Screenshots (placeholders)

Frequently asked questions

• What questionnaires are supported? Parakeet Risk supports industry‑standard SIG Lite/Core and adds domain‑specific sections for EHS, Quality, and Pharma.

• Can we plug in our sanctions/PEP or bank verification provider? Yes. Checks are pluggable. You can swap providers or turn checks on/off by tier without redesigning workflows.

• How are SLAs enforced? Each stage has timers, reminders, and escalations. Dashboards highlight bottlenecks and cycle time by tier.

• Does it work with our ERP/S2P? Yes. The portal syncs supplier master data, approvals, and risk scores with SRM/S2P and ERP. See SRM/S2P integrations.

• How long is evidence retained? Retention is configurable by artifact type and tier. Legal holds can be applied when needed.

Related resources

• Supplier intake forms and templates: Intake forms

• SRM/S2P and ERP connectivity: SRM/S2P integrations

• Third‑party risk program hub: TPRM hub

• Building SIG workflows in Parakeet Risk: SIG how‑to