How to Select a Vendor Risk Assessment Questionnaire

Why Use Questionnaires to Assess Third-Party Risk?

Third-party risk assessors and risk managers share the common goal to reduce risk – and that starts with information gathering. Risk assessment questionnaires are a great way to get an inside-out, trust-based view on a vendor’s security, privacy and compliance controls. They address a plethora of TPRM concerns such as:

• Is a risk control acceptable?
• Does a risk need to be remediated?
• For an identified risk, is a compensating control in place?
• In areas where there isn’t a risk identified, what is the effectiveness of the control?

While questionnaires are just a part of the third-party risk management equation, they’re the best mechanism for getting a detailed, internal perspective of vendor risk.

Different Questionnaires for Different Assessment Stages

Like a story, each vendor assessment has a beginning, a middle, and an end. Most assessment initiatives leverage different questionnaires to meet the unique needs of each stage:

• Beginning: At the beginning of an assessment, you typically prioritize and tier your vendors using a profiling questionnaire (aka essential or stratification questionnaire).
• Middle: This is the core due diligence phase, where you leverage a primary questionnaire (aka master questionnaire) that’s either proprietary or based on an industry standard. In some cases, you might also use ad-hoc questionnaires to rapidly collect information in response to ever-changing regulations and/or new developments in the threat landscape.
• End: At the end of an engagement, a termination or transition questionnaire can help you ensure that all vendor checks have been securely completed per contractual obligations.

The rest of this post will focus on the primary questionnaire in the due diligence phase.

Comparing Vendor Risk Assessment Questionnaires

The primary vendor risk assessment questionnaire is the one that tends to cause the most consternation – usually around whether to use industry-standard questionnaires or proprietary versions.

Many vendor risk professionals gravitate toward using a proprietary questionnaire. This is often driven by the belief that an industry-standard questionnaire might be too constrictive to meet specific needs. However, there are cases to be made for using both types of questionnaires – either individually or in tandem. We’ll take a look at the pros and cons below.

Regardless of which approach you use for your primary questionnaire, it should collect information based on relevance, accuracy, and effectiveness. Addressing these factors will position each vendor to respond in the context of their service to your organization.

Industry-Standard Questionnaires

Utilizing industry-standard questionnaires (e.g., the Standard Information Gathering (SIG) questionnaire, the H-ISAC questionnaire for healthcare organizations, or the Prevalent Compliance Framework (PCF) questionnaire) can get you started faster by providing an accepted pool of content that your vendors are likely already familiar with. Answering a questionnaire once and sharing it with many partners has a tangible benefit for both the vendor and the assessing company.

Assessing all vendors using the same industry-standard content also provides consistency. You gain a more like-for-like comparison of similar services, while enabling your vendors to eventually share their response with other partners if they choose to do so.

Standard questionnaires provide benefits such as:

• Reducing time spent on content gathering and vendor chasing
• Eliminating questionnaire “fatigue” among responders
• Shifting focus from data collection to risk identification and management
• Speeding the overall risk management lifecycle

There are pros and cons to using an industry-standard questionnaire:

Pros:

1. Content is usually determined by a consortium or a membership community that review regulations as they are released. Content management is therefore handled by someone outside of your company.
2. Information can be collected and shared amongst industry stakeholders to help determine which domains are the riskiest and need attention.
3. Regulatory and compliance mandates are typically already mapped to questions and available to share with internal departments.
4. Questionnaires have baseline risk scores to use and/or adjust.
5. Risk Remediation based on industry-standard frameworks and guidelines may be already configured to help risk managers with standard vendor risk follow-up

Cons:

1. Updates typically happen on an annual basis and require consensus across the owning party.
2. Ad-hoc and/or supplemental questionnaires are necessary to collect content outside of the industry-standard questionnaire

Proprietary Questionnaires

Reasons to use a proprietary questionnaire are usually based on either the desire for consistency with historical practices or the need to fulfill specific vendor risk reporting requirements.

I’ve seen organizations spend up to a year creating proprietary questionnaires. They will collaborate with internal departments to ensure all needs are met. When all is said and done, the accomplishment becomes their prized masterpiece. I’ve also seen those same organizations ultimately decide that their propriety questionnaires still don’t meet their needs and then shift to industry-standard questionnaires!

Given that, proprietary questionnaires are still valuable when:

• There are relatively few vendors in your portfolio to assess
• Several vendors have completed the proprietary questionnaire in the past
• The enterprise needs more time to adjust to an industry-standard (if one is selected)
• Consistency is less important
• The survey mechanism is specific to the needs of your business

There are pros and cons to using a proprietary questionnaire:

Pros:

1. Content gathered is specific to the needs of the business.
2. Existing reporting and processes can stay intact.

Cons:

1. Questionnaire content management is handled internally. This can be a heavy undertaking with the changing risk landscape and regulations.
2. Vendors usually can’t repurpose or share their responses with other customers.
3. Regulatory and compliance mandates requires self-mapping.

Five Tips for Vendor Risk Questionnaire Selection

1. Don’t get locked into a single, rigid questionnaire

Whether you use the standardized or proprietary approach, be sure that potential TPRM solution providers offer the flexibility to deliver both industry-standard and custom questionnaires.

2. Get access to a repository of pre-defined assessments

These include industry-standard questionnaires like the Standard Information Gathering (SIG) Lite or the Healthcare Information Sharing and Analysis Center (H-ISAC) Lite, as well as questionnaires specific to compliance and security frameworks (e.g., CMMC, GDPR, FCA, PCI, ISO 27001, NIST, etc.). This will greatly simplify and automate your survey collection and management process.

3. Keep your customization options open

Look for the capability to import or create items to be reviewed during the assessment process, with customization capabilities for combining questions to meet unique needs.

4. Stop seeking the "Holy Grail"

It’s easy to succumb to analysis paralysis if you try to select a single, “perfect” questionnaire. However, conducting proper due diligence simply isn’t feasible with a one-and-done approach. As soon as you receive the questionnaire responses, the information is already starting to get stale. Maintaining real-time risk knowledge and awareness requires continuous evaluation.

5. Remember that questionnaires only tell part of the story

Be sure to complement periodic, internal assessments with continuous, external vendor threat monitoring. Monitoring provides additional intelligence that can both reveal potential risks as they arise and be used to validate assessment responses regarding specific controls.

Next Steps

Interested in more best practices for third-party risk management? Check out our guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, or schedule a personalized TPRM maturity assessment with us today.