Close Widget

Author: GRC Practice Director, Alex Hollis.

Third Party Risk Management Blog Series Introduction

In this Third Party Risk Management blog series, Alex Hollis will guide you through developing effective information gathering for third parties using five key steps to the formulation of a third party risk assessment questionnaire.

There are five key steps to the formulation of a third party questionnaire:

  • Requirements – establishing the needs of the organisation both in terms of the third-party risks that need to be managed and the compliance needs from regulation and any stakeholder commitments.
  • Research – obtaining an understanding of the types of information needed to satisfy the requirements and prioritising the needs among the various types of third parties the organisation has.
  • Planning – consideration for the method, structure, and number of assessments (this can also include non-questionnaire approaches such as audits and interviews)
  • Writing questions – Formulating the actual questions themselves and the method of response.
  • Testing – Obtaining validation and identifying any areas of improvement.

In this second installment, he discusses decision orientated requirements and looks at how you can remove the inefficiency of collecting unnecessary data.

Decision Orientated Requirements

When thinking about questionnaires, we need to plan what to do with the information.

The first level is informational; these requests say nothing about what will be done with the information or how much is required to reach a decision.

  • We need to understand our third parties approach to compliance.

The next level is study-type requests, which focus not only on the information but also ensure there is further study to follow this up.

  • We need to conduct audit interviews with our third parties.

Finally, there are decision requests; these begin with the heart of the matter. The information to be gathered and the most appropriate method will be far easier to determine.

  • We need to decide if we can work with this third party.

This move to decision-orientated research is far superior to the approach of obtaining data simply for the sake of having more information or expecting an epiphany from the data set.

Try asking “What decision am I looking to make?” if you are struggling to think about the decision try thinking about what hypothesis you are trying to prove or disprove.

This decision-orientated approach is helpful because it will cut through the inefficiency of collecting data that you have no intention of making any decision on. This goes further to managing the focus of the respondent but also reduces the need to process that data.

Moving from the informational approach to a decision-orientated approach is difficult when working with others. Allowing the informational questions to be captured and then working back to the decision is often helpful.

When doing this exercise if you can’t establish the reason then you have discovered redundant data. You may also find that a given question has some decisions to which it relates, this is great as you have already identified an efficiency.

How to Develop Effective Information Gathering for Third Parties

In March 2019 we hosted a free webinar taking you through the five key steps to the formulation of a third party questionnaires. Hear from Alex Hollis, SureCloud’s GRC Practice Director as he discusses efficient and effective information gathering from third parties. The session covers topics such as:

  • How to evaluate your information needs
  • Prioritizing, planning and structuring the information gathering
  • Use of categorization, tiering and risk scoring
  • Building the question library
  • Reducing the manual administrative burden from the system
  • Reducing “assessment fatigue” – The human element of answering questions

The webinar is available on-demand via BrightTALK here.

Discover the next blog in the third party risk management series here, where we look at understanding thresholds needed to make decisions, setting the expected level and being clear on what the minimum accepted level might be. 

To view the previous blogs in the third party risk management series click here.

See you next week!



How can we help?