Six Tips for Building Effective Vendor Risk Assessment Questionnaires

3 minute read

May 2017

A well-designed vendor risk assessment questionnaire is vital for a successful Vendor Risk Management program. Creating the best questionnaire – in structure and content – can be difficult. There are no specific rules to follow, but here are our tips to build a great questionnaire:

1. Create a refined and specific set of questions

One of the biggest questionnaire-related mistakes a company can make is combining every possible question into one enormous survey without thoughtful review. They send the same 500+ question assessment to every third party whether those questions are applicable or not. This one-size-fits-all strategy is time-consuming, frustrating and counterproductive, leading directly to vendor fatigue. Your questions should align not only with your risk appetite but with the particular vendor’s risk level and service provided. Questions should be industry-specific and the questionnaire should be created in a way that sections can be dropped in or pulled out to pertain to their business with a specific vendor. Preferred responses in line with the company’s policies should be set and tracked.

2. Give clear instructions and use simple language

If the questions are confusing, the answers could end up being inaccurate. Make sure the vendor can understand the question and answer it accurately. Avoid jargon-heavy “regulatory speak” and express your questions as simply and directly as possible.

3. Avoid open-ended questions wherever possible

Write as many questions as possible with a Yes/No/Not Applicable answer list or a picklist. Incorporate questions with subsets of questions depending on an initial response – i.e.: If the answer to a question is yes, prompt the respondent to answer follow-up questions. Fixed-answer questions make it easier to automate scoring, to quickly identify non-preferred responses in reports and to compare against past questionnaires to assess any new risks in ongoing due diligence.There may be no way to escape asking a few narrative questions. Make sure you have a plan in place to handle attached policies and train your team to ensure consistent scoring on long-form responses.

4. Organize questions into sections relating to specific risk domains

Determine what your business cares about most and build the questionnaire structure and questions themselves around that, aligning them with the risk areas most important to the company. Sections of related questions can be skipped if the questions don’t relate to the vendor relationship or service. Structuring your questionnaire in sections also allows for scores to be rolled up by the risk domain to best understand where your risk lies.

5. Be consistent

If there is a classification questionnaire for onboarding a vendor and one for ongoing due diligence of a business relationship, keep them consistent. Align the sections with questions and scoring. If it is comparing apples to apples, residual risk at each level can be accurately defined.

6. Review your questionnaire(s) annually (or sooner if market conditions change)

Your initial set of questions is going to change over time as your business changes and your vendor risk program matures. Have a process in place to review them annually (or more frequently as required) to make sure the types of questions you’re asking are in alignment with the types of vendors you work with and the specific services they provide. Regulations and risks in industries change, so companies must ask if the questions being asked are still appropriate for today’s risk.

Annual reviews are typical, but if a company receives a lot of “Not Applicable” answers or all vendors are coming up high risk, it may be a sign that something is wrong with the questions and the questionnaire should be reviewed and adjusted as soon as possible.

To learn how organizations like yours can improve the vendor risk assessment questionnaire process while balancing regulatory pressures, business requirements and budget constraints, download our ebook: Building Better Vendor Risk Assessments.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit