Many have questioned the value of a third-party risk questionnaire. How much information can you really glean from a questionnaire anyway? Especially since organizations want to look good and will frequently answer in the affirmative. The following is a list of adjustments Intermountain Health has made to our process to improve our security and decrease risk with vendors.
Early on in our third-party risk journey we likely had a similar experience to most other teams. We created a questionnaire with yes, no, or not applicable answers. But there was one slight problem… Everyone was answering yes to everything. How could our questionnaire have value with only yes and no options?
The value of adding the answer choice ‘partial’.
As a result of vendors always answering “yes”, we had a few key follow-up questions we would ask. One of them was to ask for a ‘high level overview’ of the process they claimed to be following. What we discovered was that the process was either only partially followed, or the vendor was beginning to implement the process and therefore answered yes. Because of this realization, we decided to add a ‘partial’ option to our multiple-choice questions. This resulted in vendors better explaining their process. We found that simply offering the “partial” answer choice gave us better insight into the maturity of a vendor’s process. It also provided an avenue into further probing on topics that we deemed important to our organization.
Compare what is said to what was said last time.
Another change we made was to more closely compare the current questionnaire responses from a vendor to past responses from the business owner and the vendor. Key questions we ask and compare are with regards to data flows, data storage, current products and services provided. This has led to a discovery of several items such as data being stored offshore (which is against our standard) and products in use that currently do not have a security review completed. So, while we are still asking the same questions, we now have a baseline to work from and can determine if there are discrepancies that need to be addressed.
Business visit and demo. Compare what is said to what is done.
An additional change we have found beneficial is to visit with our internal business partners using the product. Although it has taken additional time, it has served us well as we have learned of process changes and additional data being sent to a vendor. In some cases, we found processes have changed compared to what was originally reviewed. These changes are then taken into consideration the next time we perform an assessment of the vendor. We also found cases where sensitive information was being uploaded to software that was not originally documented or approved. These visits also assist with questionnaire validation and we have found instances where vendor responses contradict the actual process and/or service provided.
In short, a few strategies we have found beneficial include adding a “partial” choice within the vendor questionnaire, comparing questionnaire responses to past conversations with the business and vendor, and reviewing user-level processes and documentation provided by the vendor. While these enhancements have added a few extra steps to our assessment process, they have exposed additional vendor risk not normally discovered with the completion of a questionnaire.