Six Tips for Building Effective Vendor Risk Assessment Questionnaires
A well-designed vendor risk assessment questionnaire is vital for a successful vendor risk management program. Creating the best questionnaire – in structure and content – can be difficult. There are no specific rules to follow, but here are our tips to build a great questionnaire:
- Create a refined and specific set of questions
One of the biggest questionnaire-related mistakes a company can make is combining every possible question into one enormous survey without thoughtful review. They send the same 500+ question assessment to every third party whether those questions are applicable or not. This one-size-fits-all strategy is time-consuming, frustrating and counterproductive. It also leads directly to vendor fatigue. Your questions should align not only with your risk appetite but with the particular vendor’s risk level and service provided. Questions should be industry specific and the questionnaire should be created in a way that sections can be dropped in or pulled out to pertain to their business with a specific vendor.
- Give clear instructions and use simple language
If the questions are confusing, the answers could end up being inaccurate. Make sure the vendor can understand the question and answer it accurately. Avoid jargon-heavy “regulatory speak” and express your questions as simply and directly as possible.
- Avoid open-ended questions wherever possible
Write as many questions as possible with a Yes/No/Not Applicable answer list or a pick list. Incorporate questions with subsets of questions depending on an initial response – i.e.: If the answer to a question is yes, prompt the respondent to answer follow-up questions. Fixed-answer questions make it easier to automate scoring, to quickly identify non-preferred responses in reports and to compare against past questionnaires to assess any new risks in ongoing due diligence.
There may be no way to escape asking a few narrative questions. Make sure you have a plan in place to handle attached policies and train your team to ensure consistent scoring on long-form responses.
- Organize questions into sections relating to specific risk domains
Determine what your business cares about most and build the questionnaire structure and questions themselves around that, aligning them with the risk areas most important to the company. Sections of related questions can be skipped if the questions don’t relate to the vendor relationship or service. Structuring your questionnaire in sections also allows for scores to be rolled up by risk domain to best understand where your risk lies.
- Be consistent
If there is a classification questionnaire for onboarding a vendor and one for ongoing due diligence of a business relationship, keep them consistent. Align the sections and questions and scoring. If it is comparing apples to apples, residual risk at each level can be accurately defined.
- Review your questionnaire(s) annually (or sooner if market conditions change)
Your initial set of questions is going to change over time as your business changes and your vendor risk program matures. Have a process in place to review them annually (or more frequently as required) to make sure the types of questions you’re asking are in alignment with the types of vendors you work with and the specific services they provide. Regulations and risks in industries change, so companies must ask if the questions being asked are still appropriate for today’s risk.
Annual reviews are typical, but if a company receives a lot of “Not Applicable” answers or all vendors are coming up high risk, it may be a sign that something is wrong with the questions and the questionnaire should be reviewed and adjusted as soon as possible.
To learn how organizations like yours can improve the vendor risk assessment questionnaire process while balancing regulatory pressures, business requirements and budget constraints, download our ebook: Building Better Vendor Risk Assessments.