Just about every mature third-party risk management (TPRM) program relies on risk assessment questionnaires to collect information on vendor controls and spotlight potential exposures. When building your TPRM program, one of the biggest decisions you’ll make is determining which questionnaire(s) to use and when to use them. There’s no shortage to choose from, but how do you select what’s most meaningful for your organization while making the best use of your vendors’ time?
In this post, we’ll review the purpose of vendor risk assessment questionnaires and review the pros and cons of different types. We’ll then close with 5 tips for selecting the questionnaire approach that’s best for you.
Third-party risk assessors and risk managers share the common goal to reduce risk – and that starts with information gathering. Risk assessment questionnaires are a great way to get an inside-out, trust-based view on a vendor’s security, privacy and compliance controls. They address a plethora of TPRM concerns such as:
While questionnaires are just a part of the third-party risk management equation, they’re the best mechanism for getting a detailed, internal perspective of vendor risk.
Like a story, each vendor assessment has a beginning, a middle, and an end. Most assessment initiatives leverage different questionnaires to meet the unique needs of each stage:
The rest of this post will focus on the primary questionnaire in the due diligence phase.
The primary vendor risk assessment questionnaire is the one that tends to cause the most consternation – usually around whether to use industry-standard questionnaires or proprietary versions.
Many vendor risk professionals gravitate toward using a proprietary questionnaire. This is often driven by the belief that an industry-standard questionnaire might be too constrictive to meet specific needs. However, there are cases to be made for using both types of questionnaires – either individually or in tandem. We’ll take a look at the pros and cons below.
Regardless of which approach you use for your primary questionnaire, it should collect information based on relevance, accuracy, and effectiveness. Addressing these factors will position each vendor to respond in the context of their service to your organization.
Utilizing industry-standard questionnaires (e.g., the Standard Information Gathering (SIG) questionnaire, the H-ISAC questionnaire for healthcare organizations, or the Prevalent Compliance Framework (PCF) questionnaire) can get you started faster by providing an accepted pool of content that your vendors are likely already familiar with. Answering a questionnaire once and sharing it with many partners has a tangible benefit for both the vendor and the assessing company.
Assessing all vendors using the same industry-standard content also provides consistency. You gain a more like-for-like comparison of similar services, while enabling your vendors to eventually share their response with other partners if they choose to do so.
Standard questionnaires provide benefits such as:
There are pros and cons to using an industry-standard questionnaire:
Reasons to use a proprietary questionnaire are usually based on either the desire for consistency with historical practices or the need to fulfill specific reporting requirements.
I’ve seen organizations spend up to a year creating proprietary questionnaires. They will collaborate with internal departments to ensure all needs are met. When all is said and done, the accomplishment becomes their prized masterpiece. I’ve also seen those same organizations ultimately decide that their propriety questionnaires still don’t meet their needs and then shift to industry-standard questionnaires!
Given that, proprietary questionnaires are still valuable when:
There are pros and cons to using a proprietary questionnaire:
1. Don’t get locked into a single, rigid questionnaire
Whether you use the standardized or proprietary approach, be sure that potential TPRM solution providers offer the flexibility to deliver both industry-standard and custom questionnaires.
2. Get access to a repository of pre-defined assessments
These include industry-standard questionnaires like the Standard Information Gathering (SIG) Lite or the Healthcare Information Sharing and Analysis Center (H-ISAC) Lite, as well as questionnaires specific to compliance and security frameworks (e.g., CMMC, GDPR, FCA, PCI-DSS, ISO27001, NIST, etc.). This will greatly simplify and automate your survey collection and management process.
3. Keep your customization options open
Look for the capability to import or create items to be reviewed during the assessment process, with customization capabilities for combining questions to meet unique needs.
4. Stop seeking the "Holy Grail"
It’s easy to succumb to analysis paralysis if you try to select a single, “perfect” questionnaire. However, conducting proper due diligence simply isn’t feasible with a one-and-done approach. As soon as you receive the questionnaire responses, the information is already starting to get stale. Maintaining real-time risk knowledge and awareness requires continuous evaluation.
5. Remember that questionnaires only tell part of the story
Be sure to complement periodic, internal assessments with continuous, external vendor threat monitoring. Monitoring provides additional intelligence that can both reveal potential risks as they arise and be used to validate assessment responses regarding specific controls.
Interested in more best practices for third-party risk management? Check out our guide, Five Steps to Proactive Third-Party Risk Management or schedule a personalized TPRM maturity assessment with us today.