Choose your topics

The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Third-Party Risk Management, GRC

TPRM Blog 1 - Approaching Questionnaires: Obtaining Requirements

TPRM Blog 1 - Approaching Questionnaires: Obtaining Requirements
Written by

Alex Hollis

Published on

4 Mar 2019

TPRM Blog 1 - Approaching Questionnaires: Obtaining Requirements


The author of our third party risk management blog series GRC Practice Director, Alex Hollis, has over 16 years’ experience in IT, mobile technology and software development, having spent the last seven years specializing in governance, risk, and compliance software (GRC).

Alex presented a full hour webinar on How to Develop Effective Information Gathering for Third Parties,’ and we have broken the webcast down into bite-size blogs to help you develop your processes in an informed and manageable way. There are also some extra pointers and tips exclusive to this third party risk management blog series which will end with the full guide for you to read and share.

In this series, he will guide you through developing effective information gathering for third parties using five key steps to the formulation of a third party questionnaire.

There are five key steps to the formulation of a third party questionnaire:

  • Requirements – establishing the needs of the organisation both in terms of the risks that need to be managed and the compliance needs from regulation and any stakeholder commitments.
  • Research – obtaining an understanding of the types of information needed to satisfy the requirements and prioritising the needs among the various types of third parties the organisation has.
  • Planning – consideration for the method, structure, and number of assessments (this can also include non-questionnaire approaches such as audits and interviews)
  • Writing questions – Formulating the actual questions themselves and the method of response.
  • Testing – Obtaining validation and identifying any areas of improvement.

In the first installment, he discusses how to approach third-party questionnaires, obtaining requirements and setting goals.

Obtaining Requirements

The first step in the process is to collect the requirement for the assessment. It is not unusual for organizations to skip this step and move directly to drafting a long list of questions. Organizations are conducting third party risk assessments to support a purpose. The danger is that without a clear goal, the person writing the questions will pass it around to various people who will, in turn, add questions to it. They may go on to include various industry standard questions in a desire for the questionnaire to look the part and gain some confidence that they are doing the right thing. This leads to questionnaires that are too long, contain unnecessary information and often duplication. Poor questionnaires lead to poor or faulty information upon which organizations are making decisions.

Additionally, questionnaire design is also pushed down away from those deciding without the clarity on the intent. Identifying and clarifying decisions is a learned skill that not everyone has. Planning to support specific decision-making is in everyone’s best interest. We can also better articulate the expected return on the information collected.

The study type is the mechanism by which we will get the desired information. Most organizations will have already settled on a questionnaire-based third-party-risk assessment; however, at this stage, we should not be influenced by the purpose. “We need to do a third party assessment” or “We need to conduct audits with our third parties,” neither approach is helpful when understanding the purpose. (This will be covered in the “Planning” phase).


The goal is often overlooked as being inherently obvious but is worth stating. Most third party programs would agree with the following goal:

“To ascertain that the third party being assessed has an appropriate approach to managing risk which is compatible with our own and that the control framework meets our compliance needs both regulatory and within our policies.”

How to Develop Effective Information Gathering for Third Parties

In March 2019 we hosted a free third-party risk management webinar taking you through the five key steps to the formulation of a third party questionnaires. Hear from Alex Hollis, SureCloud’s GRC Practice Director as he discusses efficient and effective information gathering from third parties. The session covers topics such as:

  • How to evaluate your information needs
  • Prioritizing, planning and structuring the information gathering
  • Use of categorization, tiering and risk scoring
  • Building the question library
  • Reducing the manual administrative burden from the system
  • Reducing “assessment fatigue” – The human element of answering questions

The webinar is available on-demand via BrightTALK here.

Discover the next blog in the third party risk management series here, where we look at decision orientated requirements and putting all of the requirements discussed in both blogs together.

To view the previous blogs in the third party risk management series click here.

See you next week!