Utilizing Questionnaires Within Third-Party Risk Management
By: Venminder Thought Leader on September 7 2021
5 min read
In the world of vendor risk management or third-party risk management (TPRM), we live and die by questionnaires. This is mostly because, frankly, we need data! We need different data sets from different entities which may vary based on different circumstances, and then we need more data about the data to consolidate a report describing all of that data. It sounds a little ridiculous, but that’s TPRM in a nutshell. So, we find ourselves creating, developing, modifying, enhancing and customizing various questionnaires for different phases of our typical processes. From the outside looking in, it can be very daunting. We’re here to clear up and explain some commonly used phrases, acronyms, and, well, questionnaires utilized in the TPRM process.
Ideally, there are two primary and practical reasons to collect and organize data in TRPM:
- Internal: to understand the services a vendor will be providing
- External: to understand the inner workings of a vendor, in order to know how well they can provide those services
Internal Information Gathering with Questionnaires
It’s most appropriate to ask your internal folks about the vendor relationship and then reach out to the vendor or third party and ask for information regarding their controls, processes and “inner workings.” Sometimes, attempts are made to gather all of this information at once in a single questionnaire, which can be pretty painful for whoever the target audience is.
Whether or not a particular vendor has already been selected, you’ll need to understand a few things such as:
- What is the business need?
- How will the prospective vendor be meeting those business needs?
- What is the nature of services that vendor typically provides?
- What will it cost?
- Is there any associated project that would be affected or required (particularly for technology vendors)?
- What type of data and customer interaction is involved?
Essentially, you’ll need to request information that tells you the inherent risk and business impact (criticality) that a vendor may pose your organization. Some typical names for internal questionnaires might be:
- Inherent risk questionnaire (IRQ)
- Vendor request form
- Business justification
External Information Gathering with Questionnaires
Once we understand the nature of services, what will be required for the vendor engagement and the inherent risks associated with the vendor, we’ll likely need some more information that only the vendor itself can provide. There are some great “standardized” questionnaires out there designed specifically for this purpose (i.e., SIG, NIST), especially when the relationship entails significant data sharing, integration or reliability. However, you’ll also find that for many other relationships, the level of detail gathered in those questionnaires may be overkill.
Two Steps in Determining Questionnaires to Send
- Set the baseline requirements. Here are some requests that might be included on a vendor questionnaire that can be used to gather some baseline/high-level information from just about any vendor:
- Legal name, address and contact information
- Registered state, and any applicable licenses/certifications
- Ownership information (for OFAC checks)
- Any other pertinent legal or reputational information
- Applicable insurance
- Dive in deeper. Under many circumstances, specifically when there is any heightened risk or business dependency on a vendor relationship, you’ll want to take a “deeper dive,” and ask for more information. Depending on the nature of services, you may want to incorporate questionnaire items that gather information about the following:
- Vendor’s financials
- Human resource policies and procedures, including employee background investigations and training
- Privacy policies and any related practices and procedures
- Information security governance and practices, including physical security, access management and testing
- Business continuity and disaster recovery planning and testing
- Vendor management and third-party risk
- Enterprise risk management (ERM) and/or internal audit functions
- Compliance practices, performance monitoring, complaint and issue management
- PCI Data Security Standards (DSS)
Three Available External Vendor Questionnaires
There are various questionnaires which are available out there to assist with getting in-depth information on your vendors, particularly when it comes to information and cyber security.
Here are some examples:
- Standard Information Gathering (SIG) questionnaires are a holistic tool provided for risk management assessments that cover 18 different areas of risk such as cybersecurity, IT, privacy and data security (e.g., completed on critical business systems or high-risk vendors).
- SIG Lite is a shorter version of the SIG questionnaire. Typically, it’s used as a starting point to conduct an initial assessment of all service providers or on lower risk vendors (e.g., hosting websites or non-critical business systems).
- National Institution of Standards and Technology (NIST) provides vendor questionnaires which are aligned to their cybersecurity framework. NIST is a federal agency within the United States Department of Commerce that establishes computer and information technology-related standards and guidelines for federal agencies. As such, their frameworks have been adapted and cross referenced across many industries.
Questionnaires can also be used to gather subsets of information outside of the typical review period on a case-by-case basis. This should be considered when trying to understand the impact of a known breach or to gather environmental, social and governance (ESG) metrics if your organization is looking to begin reporting on corporate social responsibility (CSR).
4 Questionnaire Best Practices
As many of us already know, or can at least speculate, sending out lots of extensive questionnaires all the time doesn’t make us very popular. We’ve learned that the way we explain, frame and handle our requests can be very impactful. Here are 4 best practices:
- Remember your manners. It’s rare that your questionnaires will ever be received by someone whose main job is to respond to questionnaires. In fact, a large percentage of recipients won’t even know where to start, which can be very frustrating. Use kindness, make yourself available for questions and try to be understanding about their point of view.
- Provide justification for your request up front. In the best way possible, try to explain why you’re requesting the information. A solid justification up front helps (i.e., “our organization has entrusted yours with highly sensitive information, therefore it’s our duty to ensure the protection of that information aligns with our standards. In order to do this, we’ll need to better understand your internal control environment…”).
- Stay relevant. It can be very frustrating for vendors to receive a lengthy questionnaire which has no relevance to the services they’re providing. Sure, it’s nearly impossible to customize a questionnaire for each vendor, but some effort should be given to understand services up front, and make sure the information you’re trying to gather is pertinent.
- Keep good records of what you’ve collected from vendors in the past. A quick way to make anyone upset is by asking them for the same thing twice. This often happens in TPRM since we have so many vendors to manage. It’s hard to keep track. However, it’s important to be mindful of the work a vendor has already put into your requests. Perhaps even send an old assessment with 100 questions already answered, asking for “recertification” or “validation that this information is still true and accurate.”
As you can see, there are many ways to use questionnaires within the third-party risk space, and many different options for how to put them together. As with many other components of TPRM, the best questionnaires for you to use are ones that make the most sense for your organizational process, resources and risk appetites. Understanding the spirit of the rules that apply to your industry and being able to practically justify decisions that were made are key to passing any regulatory scrutiny that may come your way.
Related Posts
What Is a Vendor SIG Questionnaire?
Due diligence is a critical component of effective third-party risk management (TPRM). Effective...
Need a Reminder Why Third Party Risk Management Is So Important? Consider Airport Security
At a conference we attended this year, one presenter represented a global bank and was responsible...
Workarounds When You Can’t Get a Vendor Questionnaire Response
The best approach to handling vendor questionnaire dilemmas is to find out what the problem is and...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.