How to build the best third-party vendor risk assessment questionnaire
Third-party risk is a real and growing challenge for organizations — especially regarding cybersecurity. In a 2019 survey, 53% of IT professional respondents reported having suffered a third-party data breach in the last two years.
Businesses are taking proactive steps to address this risk. Third-party risk management technology can transform your ability to manage and mitigate third-party risk — cyber and otherwise. But as well as — and often in conjunction with — software solutions, companies can bolster their approach to third-party risk via a practical tool: the third-party vendor risk assessment questionnaire.
Here, we cover the following topics:
- A definition of third-party vendor risk assessment questionnaire
- Why a third-party vendor risk assessment questionnaire is important
- How to create a TPRM questionnaire
- Ways a vendor risk assessment questionnaire can enhance your TPRM program
What Is a Third-party Vendor Risk Assessment Questionnaire?
Third-party risk management is rising up the corporate agenda as supply chains grow more complex, the world more volatile, and the global business landscape more interconnected.
While all stages of the third-party risk management lifecycle are essential, it’s when you are selecting and onboarding suppliers that can arguably have the most significant impact on your third-party risk. That’s when the third-party risk management questionnaire comes into play.
Sometimes referred to as a third-party assessment questionnaire, a vendor risk management questionnaire or a third-party security assessment questionnaire, a TPRM questionnaire enables you to quickly understand a potential vendor’s risk before you commit to working with them.
A one-size fits all approach doesn’t work when it comes to third-party risk management — so it stands to reason that you should also tailor your vendor risk assessment questionnaire.
How Can a Third-party Vendor Risk Assessment Questionnaire Help You?
Your internal controls, human rights, environmental credentials and security policies may be impeccable. But when you bring a third-party provider into the mix, your risk escalates regardless of how faultless your own approach is.
Suppose your organization is in a highly-regulated sector governed by stringent controls like HIPAA or is particularly vulnerable to cyber risk. The need for thorough third-party risk assessment is even more acute in that case. And the selection and onboarding process is the ideal time to assess third-party risk.
A third-party vendor risk assessment questionnaire will help to determine that a potential supplier:
- Has the right processes, cybersecurity frameworks, checks and internal controls in place to ensure they meet required standards on issues like information security, sustainability and diversity, equity and inclusion
- Has sufficient business continuity and disaster recovery capability to cope with the unexpected
- Isn’t exposed to excessive risk due to their operating locations or their relationships with fourth parties
While third-party vendor risk assessment questionnaires are just one aspect of effective third-party risk management, they can play a central role in reducing your third-party risk.
Assessing vendor security and risk profile via a TPRM questionnaire is critical to your TPRM program. But how do you go about designing your vendor management questionnaire?
How to Build a Third-party Risk Assessment Questionnaire
Once you’ve decided that you need a third-party assessment questionnaire to support your vendor risk management, how do you build it?
The good news is that there are industry-standard questionnaires on that you can base your TPRM questionnaire. And then add bespoke questions that get to the heart of your specific needs.
For instance, you might use any of the following as the foundation for your supplier risk assessment questionnaire:
1. NIST 800-171
This is a guiding document from the National Institute of Standards and Technology, a U.S. federal agency responsible for managing how third parties, partners and contractors handle government information. NIST 800-171 mandates how defense contractors and subcontractors should manage controlled, unclassified information (CUI). A NIST 800-171 checklist can be a good starting point for your vendor risk assessment questionnaire.
2. The Center for Internet Security (CIS) Benchmarks
CIS benchmarks are a set of compliance best practices covering a range of IT systems and products. Adhering to them will ensure compliance with CIS standards and industry-agreed cybersecurity standards.
CIS controls are recognized as the baseline for effective IT risk management, aligning with frameworks like NIST 800-53a and regulations, including HIPAA, providing a good starting point for cybersecurity questions in your third-party vendor risk assessment questionnaire. Add questions around things specific to your vendors — their application controls, for instance — to tailor the questions to your needs.
3. Frameworks from Industry Bodies and Trade Associations
Organizations like the Cloud Security Alliance and the Vendor Security Alliance have developed their frameworks for IT compliance. There may be elements you can draw from these to build your own third-party assessment questionnaire.
Once you have identified the external frameworks you can use to base your third-party questionnaire on, it’s a matter of tailoring and supplementing their questions with any you need to tackle organization- or supplier-specific risks you must address.
Are There Any Negatives To Third-party Risk Assessment Questionnaires?
There are lots of positives to implementing a third-party risk management questionnaire. But are there any downsides?
It’s probably fair to say that while there are no downsides as such to strengthening your third-party vendor risk management by introducing a vendor management risk assessment questionnaire, it can bring challenges and limitations.
One of the challenges is the administration of TPRM questionnaires. Manage the process manually, and it can be very labor-intensive. Many organizations are therefore extending the automation of their third-party risk management to include automating their third-party risk questionnaire process.
A limitation is the “snapshot” nature of a questionnaire. However well-designed, a vendor risk assessment questionnaire only gives a perspective on third-party risk at a point in time. Technology, again, can help here, giving real-time information on vendor risk performance, detailing exceptions to their controls and capturing any changes to threat levels caused by vendor practices.
And, of course, the questionnaire is completed by the vendor themselves and relies on their ability to assess risk and report candidly on it. As a result, a supplier risk assessment questionnaire does not consistently deliver an objective view of third-party risk.
Strengthen Your Third-party Risk Assessment Processes
There’s no doubt that implementing a comprehensive third-party vendor risk assessment questionnaire can enhance your approach to third-party risk, particularly if you are seeking to improve your cybersecurity. As part of your wider third-party risk management policy, a well-written third-party assessment questionnaire can make your approach more watertight.
But in a digital landscape, as organizations rely increasingly on IT infrastructure, both in-house, third-party and cloud-based, questionnaires may not be enough. Increased vulnerability to cyberattacks, as threat actors become more cunning and businesses increase their reliance on technology, is exacerbated by a reliance on third parties.
You need to meet this growing threat. You must be able to scale your approach as your operations and your digital footprint grow. Your entire team needs to understand the risks you face; cybersecurity compliance needs to be built into your operations, not an added extra. Effective third-party risk management requires that you’re able to test and corroborate the claims your third-party vendors make about their risk management strategies, rather than relying entirely on self-completed questionnaires.
The risks you face need to be mitigated by combining pragmatic solutions, like third-party vendor risk assessment questionnaires, with cutting-edge technology that provides watertight assurance on third-party risk in real-time.
A Diligent whitepaper, Technology and Risk Management: A Checklist for Successfully Managing IT Risk & Third-Party Risk provides a roadmap to implementing IT and third-party risk management technology. The paper details how you can protect your organization, enhancing your risk management programs by using technology to supplement more prosaic solutions like third-party vendor risk assessment questionnaires. Download your copy here.
