Utilizing Questionnaires Within Third-Party Risk Management

In the world of vendor risk management or third-party risk management (TPRM), we live and die by questionnaires. This is mostly because, frankly, we need data! We need different data sets from different entities which may vary based on different circumstances, and then we need more data about the data to consolidate a report describing all of that data. It sounds a little ridiculous, but that’s TPRM in a nutshell. So, we find ourselves creating, developing, modifying, enhancing and customizing various questionnaires for different phases of our typical processes. From the outside looking in, it can be very daunting. We’re here to clear up and explain some commonly used phrases, acronyms, and, well, questionnaires utilized in the TPRM process.

Ideally, there are two primary and practical reasons to collect and organize data in TRPM:

1. Internal: to understand the services a vendor will be providing
2. External: to understand the inner workings of a vendor, in order to know how well they can provide those services

Internal Information Gathering with Questionnaires

It’s most appropriate to ask your internal folks about the vendor relationship and then reach out to the vendor or third party and ask for information regarding their controls, processes and “inner workings.” Sometimes, attempts are made to gather all of this information at once in a single questionnaire, which can be pretty painful for whoever the target audience is.

Whether or not a particular vendor has already been selected, you’ll need to understand a few things such as:

1. What is the business need?
2. How will the prospective vendor be meeting those business needs?
3. What is the nature of services that vendor typically provides?
4. What will it cost?
5. Is there any associated project that would be affected or required (particularly for technology vendors)?
6. What type of data and customer interaction is involved?

Essentially, you’ll need to request information that tells you the inherent risk and business impact (criticality) that a vendor may pose your organization. Some typical names for internal questionnaires might be:

• Inherent risk questionnaire (IRQ)
• Vendor request form
• Business justification

External Information Gathering with Questionnaires

Once we understand the nature of services, what will be required for the vendor engagement and the inherent risks associated with the vendor, we’ll likely need some more information that only the vendor itself can provide. There are some great “standardized” questionnaires out there designed specifically for this purpose (i.e., SIG, NIST), especially when the relationship entails significant data sharing, integration or reliability. However, you’ll also find that for many other relationships, the level of detail gathered in those questionnaires may be overkill.

Two Steps in Determining Questionnaires to Send

1. Set the baseline requirements. Here are some requests that might be included on a vendor questionnaire that can be used to gather some baseline/high-level information from just about any vendor:
   • Legal name, address and contact information
   • Registered state, and any applicable licenses/certifications
   • Ownership information (for OFAC checks)
   • Any other pertinent legal or reputational information
   • Applicable insurance
   These items will be useful for maintaining good vendor records and will assist you in conducting a background check on your vendor.
2. Dive in deeper. Under many circumstances, specifically when there is any heightened risk or business dependency on a vendor relationship, you’ll want to take a “deeper dive,” and ask for more information. Depending on the nature of services, you may want to incorporate questionnaire items that gather information about the following:
   • Vendor’s financials
   • Human resource policies and procedures, including employee background investigations and training
   • Privacy policies and any related practices and procedures
   • Information security governance and practices, including physical security, access management and testing
   • Business continuity and disaster recovery planning and testing
   • Vendor management and third-party risk
   • Enterprise risk management (ERM) and/or internal audit functions
   • Compliance practices, performance monitoring, complaint and issue management
   • PCI Data Security Standards (DSS)

4 Questionnaire Best Practices

As many of us already know, or can at least speculate, sending out lots of extensive questionnaires all the time doesn’t make us very popular. We’ve learned that the way we explain, frame and handle our requests can be very impactful. Here are 4 best practices:

1. Remember your manners. It’s rare that your questionnaires will ever be received by someone whose main job is to respond to questionnaires. In fact, a large percentage of recipients won’t even know where to start, which can be very frustrating. Use kindness, make yourself available for questions and try to be understanding about their point of view.
2. Provide justification for your request up front. In the best way possible, try to explain why you’re requesting the information. A solid justification up front helps (i.e., “our organization has entrusted yours with highly sensitive information, therefore it’s our duty to ensure the protection of that information aligns with our standards. In order to do this, we’ll need to better understand your internal control environment…”).
3. Stay relevant. It can be very frustrating for vendors to receive a lengthy questionnaire which has no relevance to the services they’re providing. Sure, it’s nearly impossible to customize a questionnaire for each vendor, but some effort should be given to understand services up front, and make sure the information you’re trying to gather is pertinent.
4. Keep good records of what you’ve collected from vendors in the past. A quick way to make anyone upset is by asking them for the same thing twice. This often happens in TPRM since we have so many vendors to manage. It’s hard to keep track. However, it’s important to be mindful of the work a vendor has already put into your requests. Perhaps even send an old assessment with 100 questions already answered, asking for “recertification” or “validation that this information is still true and accurate.”

As you can see, there are many ways to use questionnaires within the third-party risk space, and many different options for how to put them together. As with many other components of TPRM, the best questionnaires for you to use are ones that make the most sense for your organizational process, resources and risk appetites. Understanding the spirit of the rules that apply to your industry and being able to practically justify decisions that were made are key to passing any regulatory scrutiny that may come your way.