The best approach to handling vendor questionnaire dilemmas is to find out what the problem is and come up with a solution. I know that seems simple, but I also know that sometimes third-party risk professionals fall into a bad habit of repeatedly knocking on a vendor’s door sending the same template request over and over again. Then, when that doesn’t work, they go right to escalation.
So, before all that, let’s see if we can figure out the problem by better understanding how our message is being received by the vendor, then try to find a solution to help them help you (If that doesn’t work, by all means, escalate away).
Reasons Vendors Aren’t Responding to Your Questionnaire Requests
As a third-party risk professional, it’s easy to overlook how requests are being received by a vendor. Afterall, we likely have hundreds of vendors on the inventory, tens of assessments ongoing at any given time and even more that needed to be kicked off yesterday. But here is your job security, friends: take the time to understand why your outreach isn’t working.
Some of the top reasons vendors fail to respond to requests for due diligence and/or questionnaires include:
- They are busy, task saturated and simply missed it.
- Your request went to spam.
- You’re barking up the wrong tree (meaning, it’s not their job to respond to client requests).
- They don’t understand what you’re asking.
- They’re afraid to honestly answer the questionnaire because they don’t have what you’re asking for.
- They are annoyed because they already provided similar information in the past.
- They don’t feel they need to comply with your request.
What to Do When Vendors Don’t Respond
Now that we’ve reviewed some of the reasons you’re not getting a response, let’s take a look at how to get a handle on it.
Reasons #1-3: Task saturation, misdirected emails or wrong point-of-contact all have some simple fixes.
- Personalize. Stop sending the canned language and ask if you have the right person.
- Reach out. Get in touch with the business owner to see if there is another point of contact, if they can give the vendor a heads up that your request is coming through and/or have their point of contact check the spam folder.
Pro tip: This could also be a solution to reason #7 (non-compliance) because sometimes it only takes a nudge from the person who pays the bills to create that “need.” Like a power cycle, this should all be basic trouble shooting.
- Communicate. Make sure the lines of communication are open and functioning properly.
Reasons #4 and #5: Confusion, reluctance or concern, often go hand-in-hand.
- Level-set expectations. Sometimes, these issues may be solved with a simple phone call in order to balance out assumptions.
- Take a different approach. It might even help to imagine taking off your proverbial “auditor” hat and approach them as a consultant.
Remember that your efforts to manage risks involved with third-party relationships could also be very beneficial to your vendor. On the other hand, especially with smaller shops in industries that speak a different corporate language than yours, you may discover that they are far from being able to respond favorably to your questionnaire.
Now is the time to get creative. Put your questionnaire aside and find out as much as you can about what they do. As time-consuming as it might be, the best solution I can recommend here is to scrub your questionnaire for some attainable controls, provide remediation that is practical for your vendor, then document and report everything.
Reason #6: Annoyance can be indicative of some bigger problems.
When we automate a little too much, or if review tasks become overwhelming, the resulting gaps and mistakes can be very frustrating for vendors.
- Follow up. If a review was going just fine and then a vendor was suddenly unresponsive, check to make sure you didn’t miss something. Have they already answered your question somewhere? Did they send you (or another teammate) the document you’ve asked for?
- Do your homework. Making these mistakes can come off very inconsiderate to your vendor, and really hurt your working relationship. Take the time to check your bases before you show up in their inbox again.
Reason #7: They don’t feel they need to comply with your request.
- Lean on your contract. If a little outreach from the business owner doesn’t seem to change your vendor’s mind that they should comply with your request, or complete your questionnaire, check the contract. If you’re covered by a hefty right-to-audit, kindly reference or even copy language from your vendor’s contract into your next outreach.
Pro tip: Be careful not to sound too aggressive, leave that to lawyers if it comes to that, as you’ll likely want to shift into a pleasant working relationship.
If you’re NOT backed by a good contract, you have a couple options:
- Check your bases. Do you really need them to complete your questionnaire? Do you have an accurate scope of the relationship? If the answer is yes, then get your line of business owner involved.
- Reference the policies and regulations that require you to conduct your assessment. If that still does not entice your vendor to play along, you may have to adjust your request. This can be done by asking if they can provide documents in lieu of completing your questionnaire, another questionnaire they’ve completed that they can share or any control assessments they’re willing to provide you for assurance.
- Provide an attestation. If you still have trouble validating the controls you need, your last resort is an attestation. Ask them to have a senior official sign (ideally on company letterhead) that they have the controls in place that you need, with as much detail as possible.
Another thing to think about if you’re using standardized outreach templates and questionnaires and find yourself consistently battling to get proper vendor responses is that you might need to update your templates. If there are questions that vendors usually don’t understand, fix them. Ask for some insight from people outside your department or even from your communications team. Sometimes on outside perspective is great for understanding how your requests might be received.
Just like that, we’ve identified various common problems and worked up some practical solutions. I hope this helped shed some light on the challenges that come with vendor questionnaires. Of course, don’t forget to document and report all escalations and exceptions. Take good notes, and make sure they’re easy to find for next time.
Do you have a proper vendor risk questionnaire? Download the eBook to get started.