Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Third-Party Risk Management, GRC

TPRM Blog 2 - Approaching Questionnaires: Decision Orientated Requirements

TPRM Blog 2 - Approaching Questionnaires: Decision Orientated Requirements
Written by

Alex Hollis

Published on

4 Sep 2019

TPRM Blog 2 - Approaching Questionnaires: Decision Orientated Requirements


Third Party Risk Management Blog Series Introduction

In this Third Party Risk Management blog series, Alex Hollis will guide you through developing effective information gathering for third parties using five key steps to the formulation of a third party risk assessment questionnaire.

There are five key steps to the formulation of a third party questionnaire:

  • Requirements – establishing the needs of the organisation both in terms of the third-party risks that need to be managed and the compliance needs from regulation and any stakeholder commitments.
  • Research – obtaining an understanding of the types of information needed to satisfy the requirements and prioritising the needs among the various types of third parties the organisation has.
  • Planning – consideration for the method, structure, and number of assessments (this can also include non-questionnaire approaches such as audits and interviews)
  • Writing questions – Formulating the actual questions themselves and the method of response.
  • Testing – Obtaining validation and identifying any areas of improvement.

In this second installment, he discusses decision orientated requirements and looks at how you can remove the inefficiency of collecting unnecessary data.

Decision Orientated Requirements

When thinking about questionnaires, we need to plan what to do with the information.

The first level is informational; these requests say nothing about what will be done with the information or how much is required to reach a decision.

  • We need to understand our third parties approach to compliance.

The next level is study-type requests, which focus not only on the information but also ensure there is further study to follow this up.

  • We need to conduct audit interviews with our third parties.

Finally, there are decision requests; these begin with the heart of the matter. The information to be gathered and the most appropriate method will be far easier to determine.

  • We need to decide if we can work with this third party.

This move to decision-orientated research is far superior to the approach of obtaining data simply for the sake of having more information or expecting an epiphany from the data set.

Try asking “What decision am I looking to make?” if you are struggling to think about the decision try thinking about what hypothesis you are trying to prove or disprove.

This decision-orientated approach is helpful because it will cut through the inefficiency of collecting data that you have no intention of making any decision on. This goes further to managing the focus of the respondent but also reduces the need to process that data.

Moving from the informational approach to a decision-orientated approach is difficult when working with others. Allowing the informational questions to be captured and then working back to the decision is often helpful.

When doing this exercise if you can’t establish the reason then you have discovered redundant data. You may also find that a given question has some decisions to which it relates, this is great as you have already identified an efficiency.


How to Develop Effective Information Gathering for Third Parties

In March 2019 we hosted a free webinar taking you through the five key steps to the formulation of a third party questionnaires. Hear from Alex Hollis, SureCloud’s GRC Practice Director as he discusses efficient and effective information gathering from third parties. The session covers topics such as:

  • How to evaluate your information needs
  • Prioritizing, planning and structuring the information gathering
  • Use of categorization, tiering and risk scoring
  • Building the question library
  • Reducing the manual administrative burden from the system
  • Reducing “assessment fatigue” – The human element of answering questions

The webinar is available on-demand via BrightTALK here.

Discover the next blog in the third party risk management series here, where we look at understanding thresholds needed to make decisions, setting the expected level and being clear on what the minimum accepted level might be. 

To view the previous blogs in the third party risk management series click here.

See you next week!