Looking at PUMA’s vendor risk management process, you wouldn’t think it launched just a year ago. But it did.  

“We noticed that several other companies experienced data breaches and we wanted to improve our policies. With regulations and requirements getting more complex, we required a better system to check external vendors,” says Marco Preissinger, Senior Manager Information Security at PUMA SE.  

In the past, PUMA lacked a standardized way to manage vendor risks from an information security and data privacy point of view. 

“We wanted to know the exact IT risks tied to our current vendors and get a more consistent evaluation of new vendors,” recalls Florian Brandner, Director Global Information & Cyber Security at PUMA SE. “Using the OneTrust platform, our teams were able to create a clear framework for evaluating and monitoring vendor risks.”

This became PUMA’s Vendor Check process. Since it launched in 2023, the team has onboarded 250 vendors, reduced the process to an average of 17 days, and cut down its process time by 80% — and it’s just getting started.  

Reinventing vendor risk management

PUMA works with hundreds of independent suppliers and thousands of vendors across the globe, which meant the team needed to hit the ground running. 

“We really benefit from the templates library in OneTrust,” says Preissinger. “For us as a German company, the ISO templates were especially of great use. But we also pulled questions from other templates, so it was like a supermarket — a little bit of NIST, a pinch of ISO, and round it out with some GDPR. We did some rephrasing to fit our PUMA wording and OneTrust does the magic after.” 

The team decided to take a creative and proactive approach to mitigating vendor risks. While most organizations simply notify vendors when risks arise, PUMA goes a step further by including a technical damage scenario that details the potential impact and a treatment plan with suggestions for remediation.  

“We’re not just pointing out the risks. We notice vendors need a little bit more help to understand and mitigate risks, so we create what we call treatment plans. They're very simple; I would say five or six steps to mitigate one risk,” says Preissinger.  

They’ve seen an impressive adoption rate, with most vendors willing to address the risk. “The usage of the OneTrust platform has been instrumental in strengthening our relationships with vendors, as it allows us to provide them with targeted advice on mitigating risks based on our standardized treatment plans,” adds Brandner. 

This creates a mutually advantageous situation, where a vendor increases the security and reliability of its service, and PUMA as their customer effectively reduces overall risk. 

Easing the assessment workload

But the team didn’t stop there. After observing that vendors are often bombarded with assessments, they decided to lighten the workload by including only questions relevant to PUMA.  

“Some vendors provide a lot of services. For example, Microsoft has everything, but what if we only use a fraction of what they offer, like the Exchange email?” explains Preissinger. 

As part of the Vendor Check, the team created what they call the “business pit stop,” where they ask specific business units a few fast questions that help put the vendor in the right context. Dynamic assessments are then built in OneTrust, using conditional logic to further enhance the questionnaire based on each vendor answer.

The result? “We were able to reduce and simplify the assessment for the vendor, the business, and us as the reviewer,” says Preissinger. “The uniform approach ensures consistent and comprehensive risk handling, leading to a more robust risk management framework. As a result, our responses are faster and more effective, contributing to the overall resilience of PUMA.” 

Fostering a risk-aware culture

Streamlining the vendor risk process gave the team time to focus on its top priority: increasing awareness and understanding of risk within the company.

“If one responsible business unit is not included, it will not work. We needed to establish a process that enables continuous improvements and brings everyone to the table,” explains Preissinger. “We don’t need everyone to be privacy or security specialists, but a risk-aware culture helps us expedite the process.” 

Regular meetings are also where a lot of the learning happens, as stakeholders from all the different departments across PUMA bring their own concerns and viewpoints about the process.  

Timo Stauber, Legal Counsel Data Protection at PUMA SE, attests to the benefits of taking risk into consideration. “Vendor Checks are useful for us legal counsels in the data protection sector,” he says. 

“The assessments give a quick overview of vendors and the use of a planned tool or project. We carry out an initial data protection evaluation and, if necessary, a more in-depth legal review. If the deployment of the vendor is permissible from a legal data protection perspective, we conduct the data protection contract negotiations based on the assessment and any existing risks.”

This collaborative approach has led to a cultural shift at PUMA. Stakeholders are now more concerned about potential risks and know that every vendor they want to use will need to go through the Vendor Check process. 

“Bringing people closer together has been the biggest improvement,” says Preissinger. “This is where OneTrust helps a lot because we’re able to centralize processes to make faster, more informed decisions, and increase risk awareness throughout PUMA.”

From left: Timo Stauber, Daniela Dillmann, Florian Brandner, Wei Lo, Marco Preissinger

Gaining global traction

The Vendor Check process saw early success in building awareness and reducing risk and is currently being introduced to global subsidiaries through a system called ‘location onboarding’. 

Beginning in PUMA North America, the team spent a week at its Massachusetts office to introduce their established policies and best practices.

The week was spent working closely with senior management to define their existing risk management processes, input them into OneTrust, and plan marketing campaigns for other business units. At the end of location onboarding, all details were compiled in a neat package and handed over to the local team.  

“Without OneTrust, it would not be possible to have the agility and flexibility to adjust to local regulations and laws. It’s still a complex task, but the tool removes the uncertainty of knowing what to ask,” says Preissinger.

Looking forward, location onboarding is scheduled for multiple other regions: Chile, LATAM, Europe, EMEA, Austria, Hong Kong, Dubai, and the Nordics. 

“We would like to visit all the different PUMA entities and show our colleagues the OneTrust software as a whole, and the Vendor Check in particular,” says Daniela Dillmann, Legal Counsel Data Protection at PUMA SE.   

Driving security at scale

PUMA has been working with OneTrust since 2018, starting with its initial use of the Cookie Consent Module across all ecommerce sites. Now, more than five years later, they’ve further integrated with the platform’s Third-Party Management module and Power BI dashboards to achieve more robust and insightful analysis and internal transparency.

“Last year, we started with the Vendor Check and revised our template in the Data Mapping Automation module. With its various functionalities, OneTrust has great potential to simplify many processes here at PUMA,” says Stauber.

“In the future, procedures could be more integrated, automated. and adopted on a wide scale, including the entire vendor lifecycle and all relevant stakeholders for holistic risk management,” agrees Brandner. “This approach will guarantee seamless and efficient management of vendor relationships from start to finish.”