Usually, the first step in most third-party risk management programs is the distribution of a risk assessment questionnaire to third-party vendors. These questionnaires can come in a variety of flavors depending on the third-party and the relationship you may have with them, from anti-bribery and corruption to data privacy and IT security. Generally speaking, it's the general counsel or head of legal at most mid-size companies who oversee the development and distribution of these questionnaires, as it's a critical aspect of their overall third-party risk management program. Most general counsels are subject matter experts in data privacy and IT security and know the important things to consider when assessing third-party risk, right? Right?
What we're getting at here is the fact that while IT security and data privacy are topic areas of concern relating to third-party compliance risk (according to our research), it's pretty rare for a head of legal to be a subject matter expert in those areas. So when it comes time to developing or establishing a third-party risk assessment questionnaire, where do most GC's turn? They either try to find a questionnaire online, develop one internally (taking valuable time and resources) or enlist an outside expert to rubber stamp their version (at considerable cost).
If we look at the first option, finding a template questionnaire online, you could run into issues with the quality of the questionnaire you find. Basically, when was it created and does it even cover all the important areas that should be considered? The next option, developing a questionnaire internally, can also be challenging. Getting consensus on what and how many questions to ask may cause friction as different internal departments may have different tolerance to risk. Finally, working with external experts to rubber stamp a risk assessment questionnaire can be a budget breaker and not always necessary as the best risk assessment questionnaires follow gold standard best practices anyway.
What's a general counsel to do when it's time to develop, improve or establish the questionnaire component of a third-party risk assessment program? We think the first step should be downloading our guide on this very topic, entitled "Third-Party Risk Management Questionnaires: What You Should Know". Our goal is to relieve some of the burden legal and compliance professionals face when they're at the start of their journey to establish or improve their third-party risk management program... starting with the risk assessment questionnaire.