Vendor Risk Classification and Due Diligence are key elements in an organization’s Third-Party Risk Management (TPRM) program. Vendor Risk Classification involves calculating the inherent risks that a vendor poses to an organization. Several factors come into play to determine the inherent risks. Are the vendor’s services critical to the operations of the company? What kind of data does the vendor access? Does the vendor have access to the company’s network? Based on the inherent risk, vendors are segregated into three risk tiers: Low, Medium, and High.
Risk Analysts use the risk tiers to assign appropriate questionnaires to vendors. A risk analyst may assign the SIG Lite questionnaire to a medium-risk vendor, and a CAIQ questionnaire to a vendor that stores data in the Cloud.
Within the SIG questionnaire, there are 18 different control domains . For example, the questions explore information technology, resiliency, cyber security, data security, and privacy domains. The SIG Lite includes 330 controls, whereas the SIG Core includes 850 controls.
As part of the assessment process, vendors are required to provide their responses against each control. Responses can be Yes, No, N/A, or Partially. In some assessments, vendors are also required to provide detailed comments against each control. I can almost hear the vendors sighing and groaning as they complete the questionnaire. And the process doesn’t end here. In some cases, risk analysts can create follow-up requests to gather proof that the vendor has the said controls in place. The proof, in this case, includes policies and standards, network security diagrams, and screenshots of logs.
But, is there another alternative to this cumbersome process? Imagine a small company of about 15 employees that offers Digital Marketing Services. All that they are trying to do is gain business. While it is crucial to understand the risks they pose, do they really have to complete an 850-control questionnaire to gain business?
The questions remain: How much is too much? Is assigning an 850-control questionnaire to a vendor the best and most effective way to gauge the risk they pose? Is there a way to simplify the process without compromising the quality? How can we reduce vendor fatigue arising from filling up complex forms and going through onerous processes?
There are several solutions that can be considered to reduce vendor fatigue. The below solutions can also help Third-Party Risk Assessors (TPRA) keep the focus on critical controls while increasing the speed and effectiveness of the assessment reviews.
- Scoping Questionnaires
- Applying Two Due Diligence Questionnaires: RFP-Focused, Onboarding
- Implementing Service-based Questionnaires
We shall now explore each solution in detail.
Scoping a questionnaire enables the Risk Analyst to conduct accurate due diligence by putting more focus on critical controls and assigning only the appropriate set of control domains to a vendor. The process of scoping involves considering responses provided on the inherent risk questionnaire and filtering questions based on responses. While scoping, it is important to understand the details and scope of the service and the scoped data.
Let’s assume a vendor who is conducting Market Research and Analysis. If the vendor is not developing an application for the outsourcer, you can scope out any questions related to Application Security. If the vendor is not storing any data in the cloud, you can scope out questions related to Cloud Security. This exercise scopes out approximately 180 controls from the SIG questionnaire.
Applying Two Due Diligence Questionnaires
A second solution to the vendor fatigue problem can be to apply two due diligence questionnaires: one for vendors at the RFP stage, and an exhaustive questionnaire at the Onboarding stage. Only those vendors who pose Medium/Low risk at the RFP stage can be moved to the Onboarding stage. This would reduce the bulk of assessments to be conducted on select vendors; thereby saving time, money, and resources while increasing efficiency and quality.
Risk Analysts can develop an RFP Questionnaire with 20-30 questions covering critical controls that determine a vendor’s posture in Business Resiliency, Incident Management, Network Security, Employee training and background verification, Encryption, and Phishing. They can use results of the RFP Questionnaire to vet vendors and move Low/Medium-risk vendors to the Onboarding stage.
Let’s assume another scenario where the outsourcer’s HR department is considering three vendors for the Payroll system. The RFP Due-Diligence Questionnaire (20-30 questions) is assigned to all three vendors. Upon review, it is revealed that two vendors pose a high risk, vetting them out of the process. Then an Onboarding questionnaire is assigned to the low-risk vendor. This scenario results in considerable time savings for both the vendor and the assessor. If the time required for the entire RFP Due-Diligence process (vendor and TPA) is 1 hr./vendor, that makes it a total of 3 hrs. for 3 vendors. And if the time required for the entire Onboarding questionnaire is 7 hrs./vendor, that makes it 21 hrs. total for 3 vendors. However, if the above method is adopted, you end up spending only 10 hrs. on due diligence instead of 21 hours.
Implementing Service-based Questionnaire
The third technique to reduce vendor fatigue is creating and assigning questionnaires based on the services offered by the vendor. Again, this is best explained by considering a scenario.
If you are assessing a vendor who is offering Market Research and Analysis services, you can develop a customized questionnaire which is more focused on scoped data:
- Access to scoped data (if yes, then how)
- Storage of scoped data (if yes, then where)
- Processing of scoped data (if yes, how)
- Transmitting of scoped data (if yes, how)
A questionnaire designed for a Market Research and Analysis services vendor can be limited to 30-40 controls that cover questions related to scoped data, data encryption, network scans on scoped data and key controls from Access Control, Asset Management, and Business Resiliency. If the scoped data is stored in the Cloud, that can also be taken into consideration.
Creating Service-based Questionnaires is a one-time effort with a plethora of benefits: reduced vendor fatigue, focus on core controls based on service type, and increase in review quality.
The goal of due diligence questionnaires should be to seek qualitative rather than quantitative answers. This can be achieved by focusing on the scope and context of the assessment and designing questionnaires that fit the need.
Risk Analysts can use any or a combination of solutions to reduce vendor fatigue. In the process, they can also realize several benefits like enhanced productivity due to shorter TAT. The goal of due diligence questionnaires should be to seek qualitative rather than quantitative answers. This can be achieved by focusing on the scope and context of the assessment and designing questionnaires that fit the need. Ultimately, the vendor should be able to justify that they are the right fit in terms of availability, confidentiality, and integrity to offer the required services.