Expert Tips for Setting up a Vendor Questionnaire

Vendor Assessment Questionnaire

Assessing Third Party Risk with a Vendor Questionnaire

Vendors deliver reduced costs and increased productivity, making them very advantageous for business strategy. Conversely, they can expose the organization to issues of security, privacy, compliance, ethics and resiliency. For this reason, it is necessary and even mandated that organizations conduct due diligence and assess third parties on the level of risk they pose during the relationship. An appropriate vendor questionnaire can significantly increase an organization’s ability to manage the relationship effectively and mitigate overall risk. However, assessing vendors and setting up questionnaires can quickly turn into an overwhelming task.  

If you work in procurement or vendor management, you know just how time consuming – and necessary – vendor questionnaires are for assessing third parties and managing risk. Every organization has its own set of processes, procedures and policies representing a diverse risk scope. This can also make it challenging to create the right questionnaire for each vendor. Far too often, we have witnessed organizations resort to generic techniques of assessing vendors that provide little assistance in evaluating and identifying potential risk exposure and tolerance level.  

In this blog, we will provide several tips for setting up a vendor questionnaire to assist your organization in laying the groundwork to identify potential vendor risks. These strategies should give your organization a leg up in managing risk throughout the lifecycle of the relationship: 

Engage the relationship owner in your business: Integrating owners helps scope the assessment to ensure the proper risk areas are covered. 

Categorize your vendors: Develop a taxonomy of the types of relationships in the extended enterprise to help scope the assessment – supplier, vendor, outsourcer, contractor, consultant, service provider, temporary worker, broker, agent, dealer, intermediary, partner, etc. You need to be able to dynamically scope your assessment questionnaire based on the services provided. 

Categorize your risks: Create a taxonomy of the types of risk categories and select which risk areas are in scope for the relationship – privacy, information security, human rights/slavery, anti-bribery and corruption, quality, environmental, health and safety, ESG, etc. 

Know your geographies: Not all risks have the same risk level in various parts of the world. Know where your third parties are located to know which risk areas are higher and need more attention on the assessment. 

Understand your audience: Who is the vendor questionnaire going to? What role? What languages? You may need to provide assessment questions in multiple languages. 

Screen the parties against databases: Determine if there are issues/red flags that pop up on watch lists, sanction lists, negative news, politically exposed persons, reputation/brand lists, etc. These indicators may reveal that the relationship should not be considered or provide you with more information on where to scope assessments. 

Standardize your questionnaire: By leveraging standardized questionnaires, such as SIG from Shared Assessments, the organization can serialize their vendor questionnaires with a comprehensive set of questions. Additionally, using simple “Yes” or “No” questions will often allow the organization to respond faster. 

Organize your vendor questionnaire in thematic groups: There are various risk exposures that you can use to organize the assessment, such as information security, privacy, compliance, ethics, financial viability and resiliency. Organize questions in a like-for-like fashion to enable consistent scoring. You should design your questions in a manner that lets you quickly identify the issues within responses. 

Understand controls and map them to questions: It is essential to tie the assessment questions back to your control environment to provide greater efficiency in identifying gaps. By mapping these questions to controls, you can easily address issues in your control environment.  

Review common mishaps: Suppose vendors are answering specific questions incorrectly or poorly. In that case, it may be an indicator that the question is ambiguous or that training and context need to be provided to the vendor.  

Write your questions clearly: Use common, straightforward language that is easy to read and understand. Multiple choice questions are ideal as they allow direct answers; however, essay questions are needed to get a broader perspective. Note: the issue with essay questions is it is challenging to enforce logic on them. 

Utilize branching: Often, if a question is answered in a satisfactory or unsatisfactory way, it may be necessary for other questions to be asked to gain more clarity or allow for some questions to be skipped. Doing so will enable the vendor not to have to answer unnecessary questions and can ultimately reduce vendor fatigue. 

Use automation: Leverage workflow and task management to make sure nothing slips through the cracks. This functionality allows vendors to be alerted when they have a task waiting to be completed; or if they need to be prompted to finish a questionnaire. It also enables the internal processing and engagement of the relationship owner in the business.  

Use logic: If you require evidence or documentation to support an answer, vendors should not have the ability to move to the next screen without submitting the response. This also includes providing context and routing for the next steps. As part of the process, you may also want to consider developing remediation steps and timelines. Another consideration is having preferred responses to match answers against so you can identify examples of good and bad answers. 

Attestations: Get final verification/signature on who completed an assessment. Get specific attestations to any policies, requirements, and such presented to the third party. You may need to provide context, such as specific language that needs acknowledgment in a document. In this case, you need to give context to point to verbiage or link to the question. 

Supporting documentation: Provide the ability to attach supporting evidence as attachments in the vendor questionnaire. These can be policies, certifications/accreditations, audit reports, proof of insurance and more. 

Once questionnaires are completed organizations need to know how to respond to the risks that are identified in an assessment. The organization should consider these questions upon review 

  • Is the relationship too risky to enter?  
  • What controls are put in place to address either high or moderate risks that can allow a potentially risky relationship to move forward?  
  • When do you exercise the right to audit clauses or add service-level agreements? 

Finally, it is essential to note that vendor questionnaires are not a one-time onboarding exercise but should be done regularly (e.g., annually). An assessment should be initiated if key risk indicators are triggered. A trigger condition would tell the system to send a designated assessment when a specific event is determined. These “trigger events” could be supplied by outside content partners and include news related to the vendor, geo/political incidents, environmental/weather impacts or economic changes. This type of monitoring can help you avoid unexpected interruptions and potentially adverse effects on your organization’s reputation. 

Overall, vendor questionnaires are a critical part of an effective third-party risk management program. A well-developed vendor questionnaire provides valuable insight into the vendor’s processes, procedures and policies. This helps an organization be proactive in managing potential emerging risks and identify areas for improvement. For more information on this topic and how your organization can improve the vendor risk assessment questionnaire process, download our eBookBuilding Better Vendor Risk Assessments.