In this Third-Party Risk Management blog series, SureCloud’s GRC Practice Director Alex Hollis will guide you through developing effective information gathering for third parties using five key steps to formulating a third-party risk management questionnaire. The third-party risk management webinar is available on-demand via BrightTALK.

There are five key steps to the formulation of a third-party questionnaire:

• Requirements – establishing the needs of the organisation both in terms of the risks that need to be managed, the compliance needs from regulation, and any stakeholder commitments
• Research – obtaining an understanding of the types of information required to satisfy the requirements and prioritising the needs among the various types of third parties the organisation has
• Planning – consideration for the method, structure, and number of assessments (this can also include non-questionnaire approaches such as audits and interviews)
• Writing questions – Formulating the actual questions themselves and the method of response
• Testing – Obtaining validation and identifying any areas of improvement

The Planning Phase of Your Third-Party Risk Management Questionnaire

In this fifth instalment, Alex moves into the ‘planning’ phase of questionnaires, where you will establish the survey type, organising third-party information collection to help manage assessment fatigue and achieve flow by paying attention to the order and context of the questions.

The next phase is to plan out the questionnaire, and the first thing to consider is the survey method. This post focuses on questionnaire assessments, but there are other survey methods such as audits, face-to-face interviews, and telephone interviews. Additionally, there will not be just one third-party risk assessment over the life of the third-party relationship.

Once we have established the survey type, we can consider satisfying the third-party information needs identified in the requirements and research phase.

We want to ensure that we organise the third-party information collection into logical groups to avoid the respondent having to mentally context switch when answering the questions. This helps better manage third-party risk and the issue of assessment fatigue.

A simple framework for doing this is:

Third-party information needed – The first column is where we decide what needs to be collected. This should concentrate on what we are looking to satisfy.

Category/Topic – The second column ensures the flow of questions is maintained. Similar questions will be held or shown to the third-party respondent together.

We will cover the following three columns in the writing questions phase.

The goal of this is to create an easy-to-follow flow to the questions. The flow must ease the respondent into the questions and ensure the context of the question is well understood.

Start Off Easy

Some cognitive studies have identified the importance of moving from easy to challenging problems when approaching a complex task. It builds the confidence of the individual in completing the task and improves the overall output.

Remember, the respondent of the third-party assessments is a person. Recognise that they may not be the subject matter expert to all of the security and risk controls in the organisation. The first section, and the first question of each section, should use straightforward closed questions to get the respondent started.

Third-party questions about the name of the company and the services being consumed should be straightforward for the respondent to answer.

Make Your Context and Question Order Clear

To achieve flow, pay attention to the order and context of questions.

Consider the question:

The question is a common one asking about unique user identification. Depending on where the question is placed, it could be a question about the organisation’s information security management policies internally, or it could be asking about a software product feature. Here, the preceding question could change the context.

Another example is:

This is asking about the control which obscures or masks passwords when entered and prevents ‘shoulder-surfing,’ where people might look over the shoulder and obtain passwords. Again, the context is not made evident by the question, and, as such, must be inferred by the placement.

Along with errors through misunderstanding, it also requires more mental effort to evaluate; a respondent may need to re-read or look at the surrounding questions to reconfirm the context. This will lead to assessment fatigue more quickly, and those already fatigued will be more susceptible to misunderstandings.

One of the ways to help structure this is when planning assessments start with categories that separate contexts. Keep questions about the product and/or service offered separate from the questions about the company itself.

In TPRM Blog 6…

The next instalment in this third-party risk management series focuses on drafting the questions and the simple techniques you can use to improve the collection of information to help manage the assessment fatigue experienced by the respondent. 

View the previous blogs in the third-party risk management series, or head over to our Vendor Risk Management capability to see what software and services are available to help you streamline your third-party risk assessment processes.