Ernesto Carrasco & Harold Shin: Improving UCLA’s vendor onboarding process

Congratulation to Managing Vendor Risk One Triage at a Time Project team, UCLA: UCLA GRC Team, UCLA ServiceNow Team

By Brendon Phuong. Ernesto Carrasco, director, Governance Risk & Compliance, UCLA, and Harold Shin senior IT risk analyst, UCLA, recently shared the story behind their project, “Managing Vendor Risk One Triage at a Time,” which won a 2023 UC Tech Design Silver Award, along with their fascinating career journeys and work in IT today.

Listen to Carrasco describe what was significant and rewarding about their project, “Managing Vendor Risk One Triage at a Time.”

The interview transcript, below, was edited for clarity and is based on an interview with Ernesto Carrasco and Harold Shin.

Two career paths that intersected and lead to IT work at UCLA

Ernesto Carrasco, I started my career in the military where I gained foundational skills. After leaving, I transitioned into government work, initially fixing computers and then progressing to network administration and later IT Security. My career trajectory took me across diverse industries, including banking, nuclear and mining.  I had the opportunity to engage in a wide range of cybersecurity activities, from casino audits to building comprehensive Governance, Risk Management, and Compliance (GRC) programs. Over time, I realized my passion was in creating and owning something significant and joined UCLA as a GRC director. The idea of being part of something greater, where my work could positively impact research, students, and progress, was especially motivating. 

Harold Shin, I joined UCLA out of college as a programmer analyst in desktop support for administration and gradually expanded my roles to include system admin work in corporate financial services and networking in central IT. After participating in UCLA’s Professional Development Program (PDP), I managed networking client services in academics for 12 years. I later transitioned to the Office of Research Administration as a senior operations manager. After a university reorganization, I sought a new opportunity as a risk analyst. This position allowed me to interact with a wide range of individuals on campus. Another benefit was being able to apply my IT operational experience to third-party risk management and assessment services.

Managing for long-term success by building in the ability to leverage strengths

In our specific field, known as Governance, Risk management, and Compliance (GRC), we look for technical expertise to identify, classify, analyze, and respond to cybersecurity risks. Aside from the technical skills, a good team member embodies principles of dignity, respect, and a service-focused leadership approach. We focus not just on facilitating their development in the present but also on aligning it with their future career aspirations. We make sure to engage in open conversations about their five-year goals, ambitions, and how we can support them. This development plan becomes an integral part of our current objectives, allowing them the flexibility they need to leverage their strengths. We provide training, and mentorship, and ensure open lines of communication, encouraging them to share anything on their minds. It’s about mutual growth and support, recognizing that they may not remain with our team forever, and helping each other in our respective journeys is the ultimate goal.

Challenges and rewards of a job well done – the ripple effect

Working at UCLA has its challenges and rewards. Our biggest challenge is the wide range of responsibilities we have. We assist almost every department on campus, including certain aspects of the medical side, and support various tasks. The volume of tasks, including triaging assessments and various responsibilities, can be quite substantial. However, we are deeply appreciative of this opportunity since there is always room for progress and improvement. We need to manage our time effectively to address UCLA’s diverse needs and demands. 

The work we have the privilege of doing every day is fantastic because we can help different departments achieve their goals. Yes, it is hard work and can be challenging at times. However, when our work is done, it’s also gratifying to witness how successful outcomes impact multiple departments with a ripple effect.

How the Governance, Risk Management, and Compliance (GRC) team improved UCLA’s vendor onboarding process

Up until about two years ago, our vendor onboarding process was manual, tedious, slow, and not scalable. Recognizing the inefficiency, our team made a pivotal decision to automate this process using ServiceNow. Initially, this automation yielded only a modest 0.5% improvement, but we were determined to refine it further. After its initial deployment, we fine-tuned the system based on feedback and observations, resulting in a transformation of the process into a highly efficient one, within two years.

We continue to make regular improvements and had the opportunity to present our solution at the UC Tech Conference, which garnered substantial interest in potentially implementing our solution across other universities within the UC system.  The opportunity to help other UC universities control risks associated with onboarding third parties is really exciting and a testament to what we’ve built. 

Reducing the approval time from months to weeks by focusing on the four pillars of the vendor onboarding process

The vendor onboarding process includes four pillars and teams (below). While distinct in some regards, these pillars are related. Through improved organization of each pillar, and by using automation, we reduced the time required for this process from months to just a few weeks. 

  1. Security: We are responsible for reviewing and ensuring the security of a vendor’s services. This includes assessing the security implications of a vendor’s program and making sure that the vendor complies with security requirements.
  2. Accessibility: We focus on evaluating the accessibility of vendor requests. This ensures that products and services provided by vendors are accessible to all users, including those with disabilities (an estimated 18% of the US has a documented disability – from those affecting movement, vision and hearing, attention deficit, and more).
  3. Privacy:  We conducted a review to identify any privacy-related issues associated with the vendor’s offerings. We assess whether the vendor complies with privacy regulations and standards, such as the General Data Protection Regulation (GDPR), and address any potential privacy concerns.
  4. Purchasing: We took note of the vendor requests and assessed whether they involved purchases or renewals. We systematically prepared for procurement activities, ensuring that the necessary documentation and processes were in place for vendor acquisition or renewal.

Strategies for managing vendor risk

The process described above is one part of the strategy. We think of it as a crucial first step, a point-in-time assessment, designed to capture approximately 80% of potential issues upfront. The other 20% involves two elements include: our commitment to continuous monitoring and collaboration among UC’s

(1) Commitment to continuous monitoring 

Monitoring of the vendor extends throughout the vendor’s entire lifecycle. Vendors are not static. Their business evolves and they make adjustments and update their offerings. To avoid risks, we prioritize early contractual agreements that establish a safety net for potential complications. We diligently track and adapt to any alterations vendors make to their operations internally.

(2) Collaboration among UC’s

Presenting at the UC Tech Conference, applying for a UC Tech award, and working with peers across the system are key to our success and what motivates our team. We welcome connecting with colleagues any time, and look forward to seeing you at the upcoming event, where we hope exchange views about our work.

Networking Event: Database design, process design and design accessibility

Tuesday, December 12, 2-3 p.m.
Host: UC Office of the President
Topics: Network among your design colleagues and enjoy a presentation and conversation led by Robert Krumm, UCSF, Ernesto Carrasco and Harold Shin, UCLA, and Kelsey Couzzo, Quantivly. We look forward to hearing your perspectives and questions.
Registration: Zoom Registration Link


Ernesto Carrasco
Director, Governance Risk & Compliance

Harold Shin
Senior IT Risk Analyst 


Brendon Phuong
Marketing & Communications Intern
UC Office of the President