Properly Scoping Vendor Due Diligence Drives Business Impact

Properly Scoping Vendor Due Diligence Saves Both Time and Money

One of the costliest mistakes immature Third-Party Risk Management teams make is taking a “one-size-fits-all” approach to scoping vendor due diligence questionnaires. The thought is a single assessment questionnaire requires fewer resources than creating a custom questionnaires for each vendor. In reality, when questionnaires are scoped correctly, your business saves time and money while safeguarding against the next breach.

Why is scoping your vendor due diligence questionnaires so important? Poorly scoped vendor questionnaires can lead to unnecessary analysis on lower-risk vendors, taking time away from higher-priority risk mitigation and possibly creating an assessment backlog. Under-assessing high-risk vendors can leave you open to more risk exposure, while over-assessing lower-risk vendors can create vendor and analyst fatigue.

Vendors should only be asked the most relevant questions from your library. Asking only what’s required and appropriate will make your vendors more responsive, increase analyst efficiency, and help you onboard more vendors in less time with the same resources. Ultimately, you focus more time on mitigating vendor risk rather than chasing down documents and responses.

Let’s review the how mature organizations approach scoping vendor due diligence.

Four Ways to Scope Vendor Due Diligence Questionnaires

Different stages of due diligence serve different objectives. That means that you will need different scoping strategies based on whether due diligence occurs before or after the contract is signed. To best suit your risk profile and tailor your questionnaires, explore four of the most common scoping techniques.

1. Inherent risk-based

When you know a vendor’s risk category — low, medium, high, or critical — you can assess them with a questionnaire tailored to their risk level. For example, a low-risk vendor could be the landscapers maintaining the grounds, while medium-risk vendors might be your cleaning service. Janitorial workers may seem low risk, but they’re inside the facilities with potential access to more information. Your team probably won’t assess vendors in the low-risk tier, while the medium-tier vendors will receive a question set sufficient with their risk category. Taking this strategy allows you to spend less time assessing vendors that don’t pose as much risk to your organization.

2. Service type-based

Scoping a questionnaire based on the vendor’s service type allows you to ask questions specific to the nature of their service or product. These might include questions on data security and privacy, access, or contract amount. For example, you would ask a cloud service provider to show evidence of their cybersecurity controls. You wouldn’t need to ask the same of your promotional product agency.

3. Controls-based

Controls-based scoping focuses on investigating the vendor’s cybersecurity assets, IT systems and the controls in place to protect them. This method helps you correlate third-party due diligence responses to your controls to validate the external effectiveness of your internal controls. Controls-based scoping allows you to develop a holistic sense of your security throughout the extended enterprise. It allows you to validate that your third-party ecosystem upholds your organization’s cybersecurity posture.

4. Automated questionnaire scoping

Automated questionnaire scoping can come in handy when you want to improve your question sets, response time, and compliance reporting. When vendors provide responses, automation shows or hides questions based on their answers. For example, if a vendor indicates that they do not process sensitive data, then a question set related to data privacy will not appear. This eliminates the need to handpick questions from a master template for each questionnaire. In-flight, automated scoping means that you don’t have to scope question sets for each vendor criticality level. Instead, you can use a master template that an automated platform will scope in real time for you and your vendors.

Putting in the resources to protect your organization will require dedication to every aspect of the business — even the places, processes, and vendors at the farthest reaches of your organization. Scoping vendor due diligence questionnaires properly isn’t a step to be missed or minimized, as the future of your organization and your partners may depend on the attention you give it today.

Benefits of Automated Questionnaire Scoping

 When your organization invests in a technology like ProcessUnity Vendor Risk Management, your TPRM professionals can automatically scope vendor due diligence questionnaires. As a result, risk management processes become faster, cheaper, and more effective. According to independent research led by GRC analyst Michael Rasmussen, ProcessUnity customers spend 85% less time on ongoing assessments.

In financial terms, the benefits are even more pronounced. According to Michael Rasmussen at GRC 20/20, organizations can expect to see a significant return on investment in record time:

• “Large organizations can see a return on investment in 29 days. Over five years, they can expect a total return on investment of $14,855,000.”
• “Medium organizations can see a return on investment in 33 days. Over five years, they can expect a total return on investment of $5,917,500.”
• “Small organizations can see a return on investment in 37 days. Over five years, they can expect a total return on investment of $2,915,250.”

Due diligence is a key investment for any organization working today, but effective due diligence doesn’t mean dumping countless time and money into processes that could be done more efficiently. Instead, by scoping your questionnaires correctly, your organization can close gaps in its third-party ecosystem while saving time and money.