The Evolution of the Third-Party Due Diligence Questionnaire

4 minute read

August 2020

To compete in today’s marketplace, companies routinely engage third parties to provide all manner of products and services. Nonetheless, every third party presents a certain degree of risk.  

To make intelligent decisions regarding which third parties to hire and determine how best to mitigate the risk they present, companies must conduct initial as well as ongoing third-party due diligence, which involves the administration of assessment  questionnaires. Furthermore, in response to changes in the regulatory environment coupled with an ever-changing threat landscape, the breadth and scope of third-party risk management programs has continued to evolve. Consequently, so too has the third-party due diligence questionnaire.  

In the Beginning: The One-Size-Fits-All Due Diligence Questionnaires

Not long ago, businesses made do with a single questionnaire for every type of vendor. While that approach proved expeditious, every vendor, regardless of their size and inherent risk, completed the same form. Consequently, the scope of the questionnaire was often too broad for some vendors while not broad enough for others. And given the lack of relevancy to their operations and the resulting administrative burden, companies ran the risk of alienating some of their third parties during the process. 

Questionnaires Based on Inherent Risk Level

The next iteration of the due diligence questionnaire split the questionnaire according to the third-party’s risk profile. To support this approach, companies needed to segregate their vendor population to ensure that each vendor received the appropriate questionnaire. However, this still required the maintenance of multiple versions of the third-party due diligence survey. Furthermore, businesses needed to determine which questions to include in each version. And should the need arise to update the questionnaire, companies needed to make changes to multiple questionnaires simultaneously. Organizations now had three or more questionnaires – usually a superset for critical vendors, with smaller sets and subsets for less risky partners. Determining which questions appeared in which assessment posed a challenge as did making updates to questions that appeared in multiple question sets. 

Auto-Scoping Due Diligence Questionnaires

The next iteration of the questionnaire – the self-scoping questionnaire – automatically showed or hid questions (or sections of questions) from the questionnaire based on the real-time responses and risk-level of the vendor. Third parties could also also delegate questions or sections of the questionnaire within their company, and therefore provide more accurate and relevant responses. By removing or inserting individual questions or entire sections, organizations presented the most applicable questions to the vendor considering its operations, goods or services provided, and overall relationship with the company. And since the questions evolved based on the vendor’s responses, the questionnaire could focus on the areas of greater concern to the business and its ability to measure, manage, and mitigate third-party risk. 

Since there was only one version of the questionnaire to maintain, organizations didn’t need to expend the time, effort, and expense in updating multiple versions simultaneously and were able to create a standardized third-party risk program. While this approach was and still is beneficial, there was another iteration of the questionnaire on the horizon. 

Self-Scoring Vendor Self-Assessments

Today’s self-scoring assessments allow companies to scrutinize a vendor’s responses based on a preferred response for each question. This approach has proven highly effective in uncovering where the greatest risk resides, and consequently, where the company should focus its review time. Now, instead of requiring an organization’s risk personnel to conduct an in-depth manual review of a vendor’s responses, next-gen questionnaires programmatically identify those areas that require further analysis. 

The technology supporting the most advanced version of the questionnaire can also minimize the administrative burden by pre-populating responses from prior years as well as auto filling basic data, such as the information housed in the vendor’s previously completed profile.  

Self-scoping and self-scoring questionnaires are used in tandem in mature Third-Party Risk Management programs 

The Benefits of a Streamlined and Standardized Approach to Third-Party Due Diligence

As the third-party due diligence questionnaire evolved, companies improved their ability to satisfy regulatory expectations while also improving their understanding and effectiveness in mitigating third-party risk. Additionally, each time a company adopted the latest approach, they reduced the administrative burden placed on their vendor portfolio. 

With the use of dedicated technology systems that incorporate the most sophisticated version of the third-party due diligence questionnaire, companies can capture a higher quality of input from vendors, which in turn delivers a far more proactive approach to vendor risk management. 

To learn more about the evolution of the third-party due diligence questionnaire and why investing in a high-performing third-party risk management program is invariably less than the cost of non-compliancedownload our latest white paper, Understanding the Evolution of the Third-Party Due Diligence Questionnaire. 

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit