Vector
Vector

Choose your topics

Blogs
What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Third-Party Risk Management
Blogs
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Third-Party Risk Management, GRC

Third Party Risk Blog Series: The Problem with Questionnaires is Human Nature

Third Party Risk Blog Series: The Problem with Questionnaires is Human Nature
Written by

Alex Hollis

Published on

20 Mar 2019

Third Party Risk Blog Series: The Problem with Questionnaires is Human Nature

 
 

Questionnaires aren’t inherently bad; they are an efficient means of collecting information across some respondents to form a consistent and comparable set of data.

The issue is with the effectiveness, and the primary cause of that ineffectiveness is caused by human involvement in the process. The cognitive process involved in answering questions is quite a resource intensive for the respondent. The respondent first has to read and understand the question, applying any context to the question. The respondent must then recall the related facts (or recognize they don’t have the information and conduct an investigation) and summarise that information into the context of the question. Additionally, the Respondent has a motive around answering the questions. With third-party questionnaires, there is a desire to meet that obligation, as such if there is not a direct answer, there will be an additional cognitive effort to reframe the answer in a preferable light.

Humans spend much of their day operating from the basal ganglia which require less energy to operate. The evaluation of new information and higher level thinking depends on the prefrontal cortex, which is less energy efficient (Rock and Schwarz 2006). Switching from basal ganglia to prefrontal cortex creates some feelings of anxiety and being outside of one’s comfort zone. In the same way that we often feel fatigued after a long meeting or training, answering complex questions has a similar effect. This deep thinking shouldn’t be taken for granted in the respondent.

We have borrowed the term ‘assessment fatigue’ from the world of medicine, to describe the mental fatigue that a respondent feels from answering questions. When completing a voluntary assessment when the respondent reaches that fatigued state they can simply stop answering the questions and leave the assessment. Our third parties, however, are normally committed to completing such assessments, so the respondent doesn’t have the option not to complete the assessment; however, the fatigue is no less present due to this commitment.

What we should take away from this is that the respondent has a finite amount of mental focus to provide answers. To make an effective questionnaire, it is the responsibility of the person designing the survey to be aware and manage that finite resource.

About SureCloud

SureCloud is a provider of cloud-based, integrated Risk Management products and Cybersecurity services, which reinvent the way you manage risk. SureCloud connects the dots with integrated Risk Management solutions enabling you to make better decisions and achieve your desired business outcomes. SureCloud is underpinned by a highly configurable technology platform, which is simple, intuitive and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation; meaning you get immediate and sustained value from the outset.

About Alex

Alex has over 16 years’ experience in IT, mobile technology and software development. He has spent the last seven years specializing in governance, risk, and compliance (GRC). After just six months in the industry, Alex received a platinum-level excellence award for his work around risk bow-tie modeling, Solvency 2 and Basel 3. Now focusing primarily on operational risk, Alex has analyzed, designed and implemented GRC technology into 60 companies, including some of the largest and most complex environments. His experience spans multiple sectors, including telecommunications, aviation, pharmaceuticals, manufacturing, retail, public sector, financial services and insurance.