TPRM Blog 3 - The Threshold Levels Needed for Third Party Questionnaires

Author: GRC Practice Director, Alex Hollis.

Third-Party Risk Management Blog Series Introduction

In this Third Party Risk Management blog series, Alex Hollis will guide you through developing effective information gathering for third parties using five key steps to the formulation of a third party questionnaire. The third-party risk management webinar is available on-demand via BrightTALK here.

There are five key steps to the formulation of a third party questionnaire:

• Requirements – establishing the needs of the organisation both in terms of the third-party risks that need to be managed and the compliance needs from regulation and any stakeholder commitments.
• Research – obtaining an understanding of the types of information needed to satisfy the requirements and prioritising the needs among the various types of third parties the organisation has.
• Planning – consideration for the method, structure, and number of assessments (this can also include non-questionnaire approaches such as audits and interviews)
• Writing questions – Formulating the actual questions themselves and the method of response.
• Testing – Obtaining validation and identifying any areas of improvement.

In this third installment, he discusses understanding thresholds needed to make decisions, setting the expected level and being clear on what the minimum accepted level might be…

Thresholds

The final part of requirements is to understand the threshold which must be achieved for each of the elements.

Again, this is often overlooked as part of the process. Without knowing the threshold you need to reach to make a decision, you risk not being specific in terms of what you need and also leave the determination to the person carrying out the third-party review. If you have more than one person doing reviews, you will then have issues of consistency.

As well as setting the expected level, also be clear on what the minimum acceptable level might be. For example, would you allow the third party a grace period to add missing controls, assuming there are compensating controls?

Putting It Together

Here is a simple framework for putting together the requirements:

At this stage, it is more than likely that you will have gaps knowing what information is needed and the threshold that would be accepted. But having identified the decisions, we can move to research.

How to Develop Effective Information Gathering for Third Parties

In March 2019 we hosted a free third-party risk management webinar taking you through the five key steps to the formulation of a third party questionnaires. Hear from Alex Hollis, SureCloud’s GRC Practice Director as he discusses efficient and effective information gathering from third parties.

Discover the next blog in the third-party risk management series here, where we will cover approaches for both internal and external research needed for approaching questionnaires, comparing qualitative vs quantitative routes. 

To view the previous blogs in the series click here.

See you next week!

A.