How to Select a Vendor Risk Assessment Questionnaire

Why Use Questionnaires to Assess Third-Party Risk?

Third-party risk assessors and risk managers share the common goal of reducing risk – and that starts with information gathering. Risk assessment questionnaires are a great way to get an inside-out, trust-based view of a vendor's security, privacy, and compliance controls. They address a plethora of TPRM concerns, such as:

• Is risk control acceptable?
• Does a risk need remediation?
• For an identified risk, is a compensating control in place?
• In areas where there isn't a risk identified, what is the effectiveness of the control?

While questionnaires are just a part of the third-party risk management equation, they're the best mechanism for getting a detailed, internal perspective of vendor risk.

Different Questionnaires for Different Assessment Stages

Like a story, each vendor assessment has a beginning, a middle, and an end. Most assessment initiatives leverage different questionnaires to meet the unique needs of each stage:

• Beginning: At the beginning of an assessment, you typically prioritize and tier your vendors using a profiling questionnaire (aka essential or stratification questionnaire).
• Middle: This is the core due diligence phase, where you leverage a primary questionnaire (aka master questionnaire) that's either proprietary or based on an industry standard. Sometimes, you might also use ad-hoc questionnaires to rapidly collect information in response to ever-changing regulations and new developments in the threat landscape.
• End: At the end of an engagement, use a termination or transition questionnaire to ensure you have securely completed all vendor checks according to contractual obligations

The rest of this post will focus on the primary questionnaire in the due diligence phase.

Comparing Vendor Risk Assessment Questionnaires

The primary vendor risk assessment questionnaire tends to cause the most consternation, usually about whether to use industry-standard questionnaires or proprietary versions.

Many vendor risk professionals gravitate toward using a proprietary questionnaire. This choice often stems from the belief that an industry-standard questionnaire might be too constrictive to meet specific needs. However, you can make a case for using both types of questionnaires, individually or in tandem. Let's examine the pros and cons below.

Regardless of which approach you use for your primary questionnaire, it should collect information based on relevance, accuracy, and effectiveness. Addressing these factors will position each vendor to respond in the context of their service to your organization.

Industry-Standard Questionnaires

Utilizing industry-standard questionnaires, such as the Standard Information Gathering (SIG) questionnaire or the H-ISAC questionnaire for healthcare organizations, can get you started faster by providing an accepted pool of content that your vendors are likely already familiar with. Answering a questionnaire once and sharing it with many partners has a tangible benefit for the vendor and the assessing company.

Assessing all vendors using the same industry-standard content also provides consistency. You gain a more like-for-like comparison of similar services while enabling your vendors to eventually share their responses with other partners if they choose to do so.

Standard questionnaires provide benefits such as:

• Reducing time spent on content gathering and vendor chasing
• Eliminating questionnaire fatigue among responders
• Shifting focus from data collection to risk identification and management
• Speeding the overall risk management lifecycle

There are pros and cons to using an industry-standard questionnaire:

Pros:

1. Content is usually determined by a consortium or a membership community that reviews regulations as they are released. Therefore, content management is handled by someone outside of your company.
2. Information can be collected and shared amongst industry stakeholders to help determine which domains are the riskiest and need attention.
3. Regulatory and compliance mandates are typically mapped to questions and available to share with internal departments.
4. Questionnaires have baseline risk scores to use and adjust.
5. Industry-standard frameworks and guidelines may already configure risk remediation to help risk managers with standard vendor risk follow-up.

Cons:

1. Updates typically happen annually and require consensus across the owning party.
2. Ad-hoc and supplemental questionnaires are necessary to collect content outside the industry-standard questionnaire.

Proprietary Questionnaires

Using a proprietary questionnaire is usually motivated by either the desire for consistency with historical practices or the need to fulfill specific vendor risk reporting requirements.

Organizations may spend up to a year creating proprietary questionnaires and collaborating with internal departments to meet all needs. When completed, this accomplishment often becomes their prized masterpiece. However, many of these organizations ultimately find that their proprietary questionnaires still don't meet their needs and shift to industry-standard questionnaires.

Given that, proprietary questionnaires are still valuable when:

• There are relatively few vendors in your portfolio to assess
• Several vendors have completed the proprietary questionnaire in the past
• The enterprise needs more time to adjust to an industry-standard (if one is selected)
• Consistency is less important
• The survey mechanism is specific to the needs of your business

There are pros and cons to using a proprietary questionnaire:

Pros:

1. The content gathered is specific to the needs of the business.
2. Existing reporting and processes can stay intact.

Cons:

1. Internal teams handle questionnaire content management, which can be a heavy undertaking due to the changing risk landscape and regulations.
2. Vendors usually can't repurpose or share their responses with other customers.
3. Regulatory and compliance mandates require self-mapping.

Four Tips for Vendor Risk Questionnaire Selection

1. Don't get locked into a single, rigid questionnaire

It's easy to fall into analysis paralysis when selecting a single, "perfect" questionnaire. However, proper due diligence isn't feasible with a one-and-done approach. As soon as you receive questionnaire responses, the information gets stale. Maintaining real-time risk knowledge and awareness requires continuous evaluation. Whether using a standardized or proprietary approach, ensure that potential TPRM solution providers offer the flexibility to deliver industry-standard and custom questionnaires.

2. Get access to a repository of pre-defined assessments

These include industry-standard questionnaires like the Standard Information Gathering (SIG) Lite or the Healthcare Information Sharing and Analysis Center (H-ISAC) Lite, as well as questionnaires specific to compliance and security frameworks (e.g., CMMC, GDPR, FCA, PCI, ISO 27001, NIST, etc.). Look for solutions that automatically map questionnaires to relevant frameworks, helping streamline your survey collection and management process.

3. Keep your customization options open

Seek the capability to import or create items for review during the assessment process, along with customization options for combining questions to meet unique needs.

4. Remember that questionnaires only tell part of the story

Complement periodic internal assessments with continuous external vendor threat monitoring. Monitoring provides additional intelligence that can both reveal potential risks as they arise and be used to validate assessment responses regarding specific controls.

Next Steps

Gain more insight into best practices for third-party risk management with our guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, or see how Prevalent can help you set up your third-party risk management program for success with a strategy call or demo today.