Author: GRC Practice Director, Alex Hollis.
Third Party Risk Management Blog Series Introduction
In this Third Party Risk Management blog series, SureCloud’s GRC Ractive Director Alex Hollis will guide you through developing effective information gathering for third parties using five key steps to the formulation of a third party questionnaire. The associated third party risk management webinar is available on-demand via BrightTALK here.
There are five key steps to the formulation of a third party questionnaire:
- Requirements – establishing the needs of the organisation both in terms of the third party risks that need to be managed and the compliance needs from regulation and any stakeholder commitments.
- Research – obtaining an understanding of the types of third party information needed to satisfy the requirements and prioritising the needs among the various types of third parties the organisation has.
- Planning – consideration for the method, structure, and number of assessments (this can also include non-questionnaire approaches such as third party audits and interviews)
- Writing questions – Formulating the actual questions themselves and the method of response.
- Testing – Obtaining validation and identifying any areas of improvement.
In the fourth instalment, Alex discusses what third party information is needed to support the decision process highlighted in our previous third party blog. He also looks into qualitative and quantitative research methods.
Third Party Risk Management Research
During the research phase, we need to concentrate on determining what third party information we need to support our decision. This will require some research across the internal organization to find out what we need to make that decision.
For each decision arranged to meet with key subject matter experts and determine what information is needed to reach that decision and then what is the minimum threshold that the third partyorganization would accept.
Be very clear to push this threshold, what exceptions have been made in the past.
In regards to external research, you need to consider the types of answers you are hoping to collate. Are you looking for numeric data or more in-depth insights?
Qualitative vs Quantitative Research
The most common purpose for third-party assessments is to reach a decision about whether or not to work with a given third party and what level of risk will be taken on in doing so. As a result, the majority of approaches use a quantitative approach.
Quantitative research is about counting things using some kind of numerical representation. This could be quantities, perceptions, attitudes, and statistics to make estimations of a population or subject. The nature of this approach is to confirm and allow for comparison; it helps to reach the decision.
Qualitative research is interactive and exploratory. It provides flexibility to explore topics further using “Tell me more?” or “Why do you say that?” which can provide better insight than fixed responses. This type of research can be conducted one-on-one between interviewer and subject or in a focus group with a moderator.
Quantitative and Qualitative research are complementary methods. The typical arrangement is to use a small qualitative sample to help formulate the structured qualitative assessment of a much larger set. The qualitative helps to define the decision threshold while the qualitative then confirms that decision against the larger population.
Given the volume of third parties which need to be assessed, the need for a simple, repeatable process and the compliance nature of the questions it is not surprising most organizations select the quantitative method from the start. However, what is often found by those completing third party assessments is that the questions being asked are not appropriate or that the fixed options do not provide room for an alternate. This is, of course, unavoidable with a qualitative assessment, however using a qualitative check with selected subjects or a focus group allows for some of that discovery to happy away from the closed nature of the assessment and can be beneficial to keeping assessments relevant.
The ability for us to make good decisions is dependent upon the quality of the tools that we use. While it is almost inevitable that we will need qualitative research methods, it is important that we don’t allow that to leave us short-sighted.
How to Develop Effective Information Gathering for Third Parties
In March 2019 we hosted a free webinar taking you through the five key steps to the formulation of a third party questionnaires. Hear from Alex Hollis, SureCloud’s GRC Practice Director as he discusses efficient and effective information gathering from third parties.
Discover the next blog in the third party risk management series here, where we will be moving onto the planning phase of our blog series. We will be looking at how to plan your third party questionnaire, allowing you to satisfy the information needs identified in the requirements and research phase in this blog series.
To view the previous blogs in the third party risk management series click here.
See you next week!