Vendor Assessment is Not a Numbers Game

I am always fascinated by the folks who proclaim that it only takes 200, 250, 300 {you fill in the blank} questions to assess a vendor. I’ve been doing this for several decades now and have yet to find a magic number that satisfies the required risk assessment/analysis. Now before you launch into a diatribe about how overly complicated and time-consuming vendor risk assessment has become, let’s level set for a moment.

• Have we historically asked too many questions? Yes.
• Have we failed to properly scope assessment questionnaires to the type of service provided? Absolutely.
• Are we looking for a quick fix to avoid putting in the foundational work necessary to establish vendor assessment requirements? Always.

But let’s not allow the failures of the past to cause the pendulum to swing so far in the other direction that we fail to assess vendor risk properly. Certainly not at a time when the amount of outsourcing continues to increase along with the risk associated with that outsourcing.

So Many Questions, So Little Time

My standard response to the comment “that’s way, way too many questions,” is to ask what risk areas are not essential to assess based on what this vendor does for you? Do you care about: application security, business resiliency, access control, or a myriad of other risk control areas? These are the control areas that need to be assessed to determine what questions are necessary, not some random number.

I have always been a staunch proponent of properly scoped assessments. Failing to properly scope an assessment places an unnecessary burden on everyone. Vendors must pour through a questionnaire that bears little resemblance to their services, oftentimes increasing the time it takes to provide a response and decreasing the likelihood that it will be completed when you need it (not to mention how it impacts your relationship with that vendor).

It also increases the workload for assessment review. Every question asked and answered must be reviewed. Let’s say your assessments include 30 unnecessary questions, well then, your analysts are now evaluating 30 additional questions. That may not sound like much but multiply that times the number of assessments conducted each year and the number quickly climbs into the hundreds, if not thousands. This effectively reduces the number of assessments an individual assessor can complete.

Properly Scoped Assessments Go A Long Way

So, avoid the number game and put in the time to scope assessments properly based on: data type, system access, and business resiliency (or whatever else fits your risk appetite). You’ll find that you can strike a good balance between managing vendor risk and the burden placed on all involved to complete assessments.

Learn more about Prevalent’s comprehensive approach to Third Party Risk Management.

Brad Keller has been developing and leading risk management programs for more than 25 years. Currently, Brad is the Sr. Director of 3rd Party Strategy at Prevalent, Inc. where he focuses on the delivery of Prevalent’s third party risk management and assessment solutions.