Author: GRC Practice Director, Alex Hollis.
Blog Series Introduction
In this Third Party Risk Management blog series, Alex Hollis will guide you through developing effective information gathering for third parties using five key steps to the formulation of a third party questionnaire. The webinar is available on-demand via BrightTALK here.
There are five key steps to the formulation of a third party questionnaire:
- Requirements – establishing the needs of the organisation both in terms of the risks that need to be managed and the compliance needs from regulation and any stakeholder commitments.
- Research – obtaining an understanding of the types of information needed to satisfy the requirements and prioritising the needs among the various types of third parties the organisation has.
- Planning – consideration for the method, structure, and number of assessments (this can also include non-questionnaire approaches such as audits and interviews)
- Writing questions – Formulating the actual questions themselves and the method of response.
- Testing – Obtaining validation and identifying any areas of improvement.
In the eighth instalment, Alex will discuss how to increase the readability of your questions for your Third Party Risk Management questionnaires. This will include reducing the length of the questions and engaging more of the senses. The blog includes real-life examples.
Krosnick (1991) detailed what respondents experience while answering questions and its much harder than it might be assumed.
1. Interpret the meaning of the question
2. Recall all relevant facts related to the question (in the case of third parties this might also mean obtaining)
3. Summarise the facts
4. Report summary judgement accurately.
Krosnick showed that respondents take shortcuts which he refers to as satisficing, to come up with a satisfactory answer rather than the optimal answer. Given this, you must use the energy of your respondents wisely and not wear them out.
1) Keep questions under thirty words
Long questions are cumbersome; respondents have to read more and interpret more. They might even find themselves having to re-read several times to understand.
| How does your product or service protect users from malicious attacks? Malicious attacks should also include such areas as phishing, social engineering, along with any other deliberate attempt to compromise the confidentiality, integrity or availability to data held on the system through manipulation of users. |
This can be achieved by reducing the words in the question itself to make it easier to read. A strategy for helping with this is to split a question into multiple questions grouped for context.
How does your product or service protect users from malicious attacks which might impact confidentiality, integrity or availability of data?
| Phishing | |
| Social Engineering | |
| Other |
Another example:
| Do you have appropriate controls for physical security around the organisation as well as any products or services rendered? | Yes/No |
Cloud instead be expressed as:
Do you have appropriate controls for physical security:
| Around the organisation | Yes/No |
| Around products offered | Yes/No/NA |
| Around services offered | Yes/No/NA |
Another useful technique for reducing the size of the question is to use a transition statement. Such as:
The next section is going to ask about data-breach incidents that have happened within the last year…
| How many incidents were reported? | [Number] |
| Was a root cause analysis performed on each incident? | Yes/No/NA |
Naturally, there may be times when this rule has to be broken due to the complex nature of the questions being asked.
2) When writing, say the question out loud as if you were talking to someone.
When drafting questions in bulk the grammatical structure of the question can be lost, resulting in the question becoming difficult to read and interpret. One technique to prevent this is to read the question out loud as if you were talking to someone. This works because it engages more of the senses in feeling and hearing the words rather than just understanding with the mind.
You often find in doing this phrasing is much clearer making it then easier to respond and answer.
Next Week…
Continue learning about how to increase your respondents level of engagement with next week’s blog ‘TPRM Blog 9: The Importance of Cutting Down your Questionnaire’. The piece will cover the science behind an individual’s concentration levels and the number of questions asked.
To view the previous blogs in the series click here.
See you next week!
A