Third-party risk assessment questionnaires: Effective or outdated?

In today's interconnected business landscape, organisations increasingly rely on third-party vendors and suppliers to support their operations. While these partnerships bring numerous benefits, they also introduce a level of risk that must be effectively managed. Third-party risk assessment questionnaires have traditionally played a key role in evaluating and mitigating these risks. This article sheds light on the challenges faced while leveraging these questionnaires, highlights leading practices for their effective use, and concludes that a customised approach is crucial for organisations.

On an average and in our experience, the response rate for third-party risk assessment questionnaires tends to range from a dismal 40 percent response rate up to a 100 percent. How the processes are structured and enabled through automation can be a factor that determines where an organisation lies between the range of 40-100 percent response rate.

1. Ineffective Design: Lengthy and ambiguous questionnaires leading to incomplete or incorrect responses
2. Assessment Fatigue: Third parties spending a lot of resources on individual requests by their clients to complete their assessments, leading to delayed or no response
3. Impacts ability to uncover and analyze risks: Review of responses to questionnaires often leads to a checklist-based review instead of a risk-based review of third parties.
   

1. Smart Questionnaires: Develop risk-based questionnaires that are tailored to specific third parties and their unique risk and service profiles. By focusing on the areas most relevant to each third party, organizations can obtain more accurate and meaningful insights
2. Leveraging Existing Third-Party Reports: Incorporate existing third-party provided reports (including utility platforms, Service Organisation Controls (SOC) reports, Information Security Management System (ISMS) certificates, regulatory reports, report from any other independent assessment performed on the third party) to supplement the questionnaire responses. This reduces the burden on third parties to provide same information repeatedly
3. Combining External Data Feeds with Questionnaires: Leverage external data feeds providing an outside-in entity level third party risk posture to identify focus areas for questionnaire-based reviews. This approach narrows down the number of the questions for both the third-party and the review team
4. Automated Testing of Third-Party Controls: Utilise automation tools, such as bots or scripts, to perform automated testing of third-party controls. This approach is best suited for strategic third-party relationships where the organization can exercise significant control. Controls covered using this approach need not have corresponding questions in the questionnaire
5. Artificial Intelligence/ Machine Learning Use Cases: Emerging use cases include automated review of third-party responses which includes parsing of third-party documents, enumeration of the information within and concluding on its alignment with organization control requirements. This can significantly reduce efforts to review questionnaire responses and allow assessors to focus efforts on risk analysis.

Navigating third-party risk assessment questionnaires requires a customized approach tailored to the organization's specific needs and the nature of its third-party relationships. It is important to note that these leading practices mentioned above are not one-size-fits-all solutions. Each organization should adapt and customize their approach based on their industry, regulatory requirements, and risk appetite. Small and consistent steps in this regard is likely to result in greater success than waiting for the perfect solution.

In the long term, there is potential for organizations to move to a questionnaire free TPRM programme driven by two key factors:

• Industry wide consolidation of efforts towards Third Party Risk Assurance, aligned with Ease of Doing Business (Test once, Use X times). This could be enabled by standardization of Assurance reports across risk domains and sectors
• Transformation led by automated and continuous (higher frequency – weekly/ monthly) assessment of third-party control data (instead of responses to a questionnaire) followed by issue remediation. One of the global FS majors successfully completed a pilot on technical control data review for select controls with one of their strategic partners. While challenges remain in scaling this up across the third-party universe, the move away from manual questionnaire driven assessments was refreshing.

Until that vision is achieved, questionnaires will continue to serve as an essential tool for supporting Third Party Risk Management Programmes.