Build a Better Vendor Due Diligence Questionnaire

Vendor Due Diligence Questionnaire

Take a deep dive into vendor due diligence with ProcessUnity’s in-house due diligence specialist, James Goncalves. This interview addresses a few of the top questions that organizations have when it comes to getting the most out of their vendor due diligence questionnaires. 

This is a condensed version of the original podcast. To access the full podcast and learn more about continuous vendor monitoring, click here.    

Sophia: Drawing from your experience as a due diligence specialist, where have you seen organizations go wrong in designing vendor due diligence questionnaires? What can third-party risk teams do to avoid these issues? 

James: The biggest mistake I’ve seen over the years is when teams send out large, wieldy questionnaires that have been over-scoped or not scoped appropriately. This makes the due diligence process significantly longer because it creates vendor fatigue. Often, the third party doesn’t want to respond to the irrelevant or poorly worded questions from the organization. The situation causes friction and more importantly, it does not provide the organization with the responses that it needs to gain insight into third-party risk. 

Another thing I see becoming common is organizations failing to consider language barriers in their questionnaires. If you’re sending a questionnaire to an organization outside of the United States, you need to make sure that the questionnaire is in the right language. You’ll want to pay extra attention to how things are phrased and that the requirements of the questionnaire are understood. 

Lastly, I’ve seen questionnaires become unwieldy when organizations don’t give thought to organizing related topics. This is especially true for large questionnaires that require responses from several different departments. You don’t want questions about HR and cloud service right next to each other. The questionnaire should be ordered logically to help the third-party delegate questions and to help your team digest responses.  

Sophia: A lot of this seems to relate back to what organizations can do to simplify the process for the vendor. How would you recommend that teams design questionnaires to avoid vendor fatigue? 

James: The best questionnaires are created with smart logic. One way to enforce logic is to have a parent or master questionnaire set up that you can reference for each third party. This helps you ask an overarching question that ultimately leads to smaller follow-up questions. 

For example, organizations typically ask questions about policies. Follow-up questions might be along the lines of how often certain policies are reassessed and who owns these policies. Conditional follow-up questions reduce the number of questions that a third party has to answer.  

Another way is to have a standardized, pre-built assessment that aligns with a certain framework such as NIST-853 or ISO 270001. A lot of larger organizations already have responses pre-filled out for these, which speeds up the process for your organization.  

Lastly, using a third-party risk management tool is really helpful in giving you the capability to store responses in a centralized repository. You’re going to be collecting historical data from your third parties that you’ll want to keep on hand. You can use this to design future questionnaires appropriately.  

Sophia: At the same time, the organization wants to be sure that they’re designing a questionnaire that will provide maximum insight into a vendor. How can you design a questionnaire that ensures you get the information that will be most relevant to your organization? 

James: You really want to think about the specific risk domains associated with a third party when you’re assessing the risk they pose. You want to determine whether they’ll have access to critical data, like PII or PHI. You’ll need to understand if their service is critical to the day-to-day operations of your organization.  

Categorically outlining the different risk areas and ensuring that questionnaires accurately reflect these domains is key. You’ll also need to make sure that you’re collecting all the correct evidence, whether that’s business continuity plans, disaster recovery plans or stock reports. It can be helpful to include accurate tips underneath each request for evidence so that you can correctly outline what you need from the third party.  

If you’re designing your questionnaire appropriately, then you’re going to be getting the most relevant information for your organization. You’ll also be getting great insight into vendors that you can use to make informed decisions.  

This is a condensed version of the original podcast. To access the full podcast and learn more about continuous vendor monitoring, click here.    

How ProcessUnity Vendor Due Diligence Software Can Streamline Third-Party Questionnaires 

ProcessUnity Vendor Risk Management automates key steps in the vendor due diligence process to establish a pre-contract process and post-contract cadence. By automatically scoping third-party questionnaires based on company policy, your organization gains precise data points on third-party risk. To learn more about ProcessUnity Vendor Risk Management, click here