Author: GRC Practice Director, Alex Hollis.
In this Third Party Risk Management blog series, SureCloud’s GRC Practice Director Alex Hollis will guide you through developing effective information gathering for third parties using five key steps to the formulation of a third party questionnaire. The third party risk management webinar is available on-demand via BrightTALK here.
In the fifth instalment, Alex moves into the ‘planning’ phase of questionnaires where you will establish the survey type, organizing third party information collection to help manage assessment fatigue and achieving flow by paying attention to the order and context of the questions.
The next phase is to plan out the questionnaire. The first thing to consider is the survey method. This paper focuses on questionnaire assessments, but there are other methods of survey such as audits, face-to-face interviewing, telephone interviews. Additionally, there will not be just one third party risk assessment over the life of the third-party relationship.
Once we have established the survey type, we can then think about satisfying the third party information needs identified in the requirements and research phase.
We want to ensure that we organize the third party information collection into logical groups to avoid the respondent having to mentally context switch when answering the questions. This helps better manage third party risk and the issue of assessment fatigue.
A simple framework for doing this is:
Third party Information needed – The first column is where we decide what needs to be collected. This should concentrate on what we are looking to satisfy.
Category/Topic – The second column is used to ensure the flow of questions is maintained. Similar questions are going to be held or shown to the third party respondent together.
The next three columns are going to be covered in the writing questions phase.
The goal of this is to create an easy to follow flow to the questions. The flow is designed to ensure that the respondent is eased into the questions and that the context of the question is well understood and can be followed.
There are some cognitive studies which have identified the importance of moving from easy to hard problems when approaching a complex task. It builds the confidence of the individual completing the task and improves the overall output.
Remember the respondent of the third party assessments is a person. Recognise that they may not be the subject matter expert to all of the security and risk controls in the organisation. The first section and the first question of each section should use straightforward closed questions to get the respondent started.
Third party questions about the name of the company and the services being consumed should be very easy for the respondent to answer.
To achieve flow, we must ensure that attention is paid to the order and context of questions. Consider the question:
|Do you allow the sharing of user accounts?|
The question is a common one asking about unique user identification. Depending on where the question is placed it could be a question about the organisations’ information security management policies internally, or it could be asking about a software product feature. Here the preceding question could change the context in which the question is being asked.
Another example is:
|Do you enter passwords in clear text?|
This is asking about the control which obscures or masks passwords when entered and prevents ‘shoulder-surfing,’ where people might look over the shoulder and obtain passwords. Again the context here is not made obvious by the question and as such is very open to the context being inferred by the placement.
Along with errors through misunderstanding, it also requires more mental effort to evaluate; a respondent may need to re-read or look at the surrounding questions to reconfirm the context. This will more quickly lead to assessment fatigue, and those already fatigued will be more susceptible to misunderstandings.
One of the ways to help structure this is when planning assessments start with categories that separate contexts. Keep questions about the product and/or service offered separate from the questions about the company itself.
Stay tuned for the next blog in this third party risk management series, where we focus on drafting the questions and the simple techniques you can use to improve the collection of information to help manage the assessment fatigue experienced by the respondent.
To view the previous blogs in the third party risk management series click here.
See you next week!