TPRM Blog 1 - Approaching Questionnaires: Obtaining Requirements
The author of our third party risk management blog series GRC Practice Director, Alex Hollis, has over 16 years’ experience in IT, mobile technology and software development, having spent the last seven years specializing in governance, risk, and compliance software (GRC).
Alex presented a full hour webinar on ‘How to Develop Effective Information Gathering for Third Parties,’ and we have broken the webcast down into bite-size blogs to help you develop your processes in an informed and manageable way. There are also some extra pointers and tips exclusive to this third party risk management blog series which will end with the full guide for you to read and share.
In this series, he will guide you through developing effective information gathering for third parties using five key steps to the formulation of a third party questionnaire.
There are five key steps to the formulation of a third party questionnaire:
- Requirements – establishing the needs of the organisation both in terms of the risks that need to be managed and the compliance needs from regulation and any stakeholder commitments.
- Research – obtaining an understanding of the types of information needed to satisfy the requirements and prioritising the needs among the various types of third parties the organisation has.
- Planning – consideration for the method, structure, and number of assessments (this can also include non-questionnaire approaches such as audits and interviews)
- Writing questions – Formulating the actual questions themselves and the method of response.
- Testing – Obtaining validation and identifying any areas of improvement.
In the first installment, he discusses how to approach third-party questionnaires, obtaining requirements and setting goals.
The first step in the process is to collect the requirement for the assessment. It is not unusual for organizations to skip this step and move directly to drafting a long list of questions. Organizations are conducting third party risk assessments to support a purpose. The danger is that without a clear goal, the person writing the questions will pass it around to various people who will, in turn, add questions to it. They may go on to include various industry standard questions in a desire for the questionnaire to look the part and gain some confidence that they are doing the right thing. This leads to questionnaires that are too long, contain unnecessary information and often duplication. Poor questionnaires lead to poor or faulty information upon which organizations are making decisions.
Additionally, questionnaire design is also pushed down away from those deciding without the clarity on the intent. Identifying and clarifying decisions is a learned skill that not everyone has. Planning to support specific decision-making is in everyone’s best interest. We can also better articulate the expected return on the information collected.
The study type is the mechanism by which we will get the desired information. Most organizations will have already settled on a questionnaire-based third-party-risk assessment; however, at this stage, we should not be influenced by the purpose. “We need to do a third party assessment” or “We need to conduct audits with our third parties,” neither approach is helpful when understanding the purpose. (This will be covered in the “Planning” phase).
The goal is often overlooked as being inherently obvious but is worth stating. Most third party programs would agree with the following goal:
“To ascertain that the third party being assessed has an appropriate approach to managing risk which is compatible with our own and that the control framework meets our compliance needs both regulatory and within our policies.”
How to Develop Effective Information Gathering for Third Parties
In March 2019 we hosted a free third-party risk management webinar taking you through the five key steps to the formulation of a third party questionnaires. Hear from Alex Hollis, SureCloud’s GRC Practice Director as he discusses efficient and effective information gathering from third parties. The session covers topics such as:
- How to evaluate your information needs
- Prioritizing, planning and structuring the information gathering
- Use of categorization, tiering and risk scoring
- Building the question library
- Reducing the manual administrative burden from the system
- Reducing “assessment fatigue” – The human element of answering questions
The webinar is available on-demand via BrightTALK here.
Discover the next blog in the third party risk management series here, where we look at decision orientated requirements and putting all of the requirements discussed in both blogs together.
To view the previous blogs in the third party risk management series click here.
See you next week!