When it comes to vendor risk management questionnaires, less can definitely be more. In this post, I’ll share three value-add tips on why and how to streamline your vendor review process and reduce the length of your questionnaires while maintaining a high level of due diligence.
Tip One: Shorten Your Questionnaires
With the 2019 SIG questionnaires approaching 1,200 questions, it’s time to draw the line on vendor questionnaire length. Your goal should be to learn the most about vendor risk with the least effort for you and your vendors.
It’s a common misconception that longer questionnaires address more risk. In reality, all they do is frustrate both parties. No amount of questions can encompass all risk factors (e.g., criminal behavior among senior leadership that causes a business to plummet), just like no amount of controls can guarantee security in the face of human error and the sheer unpredictability of events.
Your vendors, especially SaaS providers, may get hundreds of questionnaires from clients and prospects every week. In our experience with TPRM clients, vendors are more likely to respond to shorter questionnaires (50 questions or less), and less likely to respond if the form is over 100 questions.
How can you shorten your questionnaires?
One way is to eliminate some of the overlap in coverage. For example, do you need to ask about background checks if you have a copy of the vendor’s HR policy? Do you need to ask about change approval if you have a copy of their software development lifecycle (SDLC) workflow? Does a vendor really need a data loss prevention (DLP) control on top of preventive controls that prevent copying client data to local disks? Is it necessary to ask about security cameras if they’re using an AWS datacenter?
By picking questions carefully and purposefully, you can cut the number significantly while homing in on your key risk categories—which I’ll discuss next.
Tip Two: Focus on Key Risk Categories
If you don’t know your key risk categories, how can you manage vendor risk?
Start with an outline of major risk areas; e.g., financial, reputational, operational, subcontractor, network security, compliance, etc. Next, rank these in order of the risk they pose to your business. Different vendors will inherently align with different risk categories, based on the service(s) they provide and the data involved.
Risk categories can be a major driver for developing questionnaires that focus on what is really risky or of concern in your individual vendor relationships, freeing both parties from the burden of spending considerable time going over a wide swath of less productive territory.
A focus on risk categories versus long questionnaires also makes your program more agile and adaptable to respond to internal, vendor and industry feedback. TPRM is highly dynamic and a lean, flexible approach offers many advantages.
Tip Three: Increase Your Reliance on Third-Party Security Attestations
If a vendor can pass a SOC 2, CSA STAR or ISO 27001 audit, there’s a good chance they can meet your organization’s criteria as well. Something like a SOC 2 report will also contain many of the answers your questionnaire would be seeking. Therefore, vendors that hold one or more well-known third-party security attestations probably don’t need to waste time filling out a lengthy questionnaire.
What about high-risk vendors? Surely, they still warrant a barrage of questions? Based on experience, I disagree. A better approach is to establish an internal requirement that your high-risk vendors must hold a recognized security attestation like ISO 27001 or SOC 2. After all, with your vendor questionnaire, it’s impossible to cover the same amount of ground as a full-blown onsite SOC 2 audit that takes the course over several months.
At the end of the day, shorter questionnaires that focus on key risk categories/control areas, along with a requirement for security attestations, can accomplish the same level of risk identification and mitigation as longer questionnaires. Save yourself time and reduce complexity by keeping your questionnaire process simple.
Ready for more guidance on how to simplify the questionnaires you’re using today? Download our free premium to get started.