Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Utilizing Questionnaires Within Third-Party Risk Management

5 min read
Featured Image

In the world of vendor risk management or third-party risk management (TPRM), we live and die by questionnaires. This is mostly because, frankly, we need data! We need different data sets from different entities which may vary based on different circumstances, and then we need more data about the data to consolidate a report describing all of that data. It sounds a little ridiculous, but that’s TPRM in a nutshell. So, we find ourselves creating, developing, modifying, enhancing and customizing various questionnaires for different phases of our typical processes. From the outside looking in, it can be very daunting. We’re here to clear up and explain some commonly used phrases, acronyms, and, well, questionnaires utilized in the TPRM process.

Ideally, there are two primary and practical reasons to collect and organize data in TRPM:

  1. Internal: to understand the services a vendor will be providing
  2. External: to understand the inner workings of a vendor, in order to know how well they can provide those services

TPRM Questionnaires-02-1

Internal Information Gathering with Questionnaires

It’s most appropriate to ask your internal folks about the vendor relationship and then reach out to the vendor or third party and ask for information regarding their controls, processes and “inner workings.” Sometimes, attempts are made to gather all of this information at once in a single questionnaire, which can be pretty painful for whoever the target audience is.

Whether or not a particular vendor has already been selected, you’ll need to understand a few things such as:

  1. What is the business need?
  2. How will the prospective vendor be meeting those business needs?
  3. What is the nature of services that vendor typically provides?
  4. What will it cost?
  5. Is there any associated project that would be affected or required (particularly for technology vendors)?
  6. What type of data and customer interaction is involved?

Essentially, you’ll need to request information that tells you the inherent risk and business impact (criticality) that a vendor may pose your organization. Some typical names for internal questionnaires might be:

  • Inherent risk questionnaire (IRQ)
  • Vendor request form
  • Business justification

External Information Gathering with Questionnaires

Once we understand the nature of services, what will be required for the vendor engagement and the inherent risks associated with the vendor, we’ll likely need some more information that only the vendor itself can provide. There are some great “standardized” questionnaires out there designed specifically for this purpose (i.e., SIG, NIST), especially when the relationship entails significant data sharing, integration or reliability. However, you’ll also find that for many other relationships, the level of detail gathered in those questionnaires may be overkill.

Two Steps in Determining Questionnaires to Send

  1. Set the baseline requirements. Here are some requests that might be included on a vendor questionnaire that can be used to gather some baseline/high-level information from just about any vendor:
    • Legal name, address and contact information
    • Registered state, and any applicable licenses/certifications
    • Ownership information (for OFAC checks)
    • Any other pertinent legal or reputational information
    • Applicable insurance
    These items will be useful for maintaining good vendor records and will assist you in conducting a background check on your vendor.
  2. Dive in deeper. Under many circumstances, specifically when there is any heightened risk or business dependency on a vendor relationship, you’ll want to take a “deeper dive,” and ask for more information. Depending on the nature of services, you may want to incorporate questionnaire items that gather information about the following:
    • Vendor’s financials
    • Human resource policies and procedures, including employee background investigations and training
    • Privacy policies and any related practices and procedures
    • Information security governance and practices, including physical security, access management and testing
    • Business continuity and disaster recovery planning and testing
    • Vendor management and third-party risk
    • Enterprise risk management (ERM) and/or internal audit functions
    • Compliance practices, performance monitoring, complaint and issue management
    • PCI Data Security Standards (DSS)

Three Available External Vendor Questionnaires

There are various questionnaires which are available out there to assist with getting in-depth information on your vendors, particularly when it comes to information and cyber security.

Here are some examples:

  • Standard Information Gathering (SIG) questionnaires are a holistic tool provided for risk management assessments that cover 18 different areas of risk such as cybersecurity, IT, privacy and data security (e.g., completed on critical business systems or high-risk vendors).
  • SIG Lite is a shorter version of the SIG questionnaire. Typically, it’s used as a starting point to conduct an initial assessment of all service providers or on lower risk vendors (e.g., hosting websites or non-critical business systems).
  • National Institution of Standards and Technology (NIST) provides vendor questionnaires which are aligned to their cybersecurity framework. NIST is a federal agency within the United States Department of Commerce that establishes computer and information technology-related standards and guidelines for federal agencies. As such, their frameworks have been adapted and cross referenced across many industries.

Questionnaires can also be used to gather subsets of information outside of the typical review period on a case-by-case basis. This should be considered when trying to understand the impact of a known breach or to gather environmental, social and governance (ESG) metrics if your organization is looking to begin reporting on corporate social responsibility (CSR).

4 Questionnaire Best Practices

As many of us already know, or can at least speculate, sending out lots of extensive questionnaires all the time doesn’t make us very popular. We’ve learned that the way we explain, frame and handle our requests can be very impactful. Here are 4 best practices:

  1. Remember your manners. It’s rare that your questionnaires will ever be received by someone whose main job is to respond to questionnaires. In fact, a large percentage of recipients won’t even know where to start, which can be very frustrating. Use kindness, make yourself available for questions and try to be understanding about their point of view.
  2. Provide justification for your request up front. In the best way possible, try to explain why you’re requesting the information. A solid justification up front helps (i.e., “our organization has entrusted yours with highly sensitive information, therefore it’s our duty to ensure the protection of that information aligns with our standards. In order to do this, we’ll need to better understand your internal control environment…”).
  3. Stay relevant. It can be very frustrating for vendors to receive a lengthy questionnaire which has no relevance to the services they’re providing. Sure, it’s nearly impossible to customize a questionnaire for each vendor, but some effort should be given to understand services up front, and make sure the information you’re trying to gather is pertinent.
  4. Keep good records of what you’ve collected from vendors in the past. A quick way to make anyone upset is by asking them for the same thing twice. This often happens in TPRM since we have so many vendors to manage. It’s hard to keep track. However, it’s important to be mindful of the work a vendor has already put into your requests. Perhaps even send an old assessment with 100 questions already answered, asking for “recertification” or “validation that this information is still true and accurate.”

As you can see, there are many ways to use questionnaires within the third-party risk space, and many different options for how to put them together. As with many other components of TPRM, the best questionnaires for you to use are ones that make the most sense for your organizational process, resources and risk appetites. Understanding the spirit of the rules that apply to your industry and being able to practically justify decisions that were made are key to passing any regulatory scrutiny that may come your way.

 

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo