After years of working with organizations of all sizes, complexities, and industries one thing I have noticed is that many companies are still performing their vendor due diligence with long, drawn out yes/no questionnaires.
Maybe you’re using questionnaires and wondering, why you would change? Maybe you’re a part of a very mature program and wondering why in the world anyone still uses this methodology. Both situations definitely exist, and of course every shade in between. In particular, I see this the most in IT due diligence.
The easy explanation for why is that IT departments started performing due diligence on their suppliers first. The other risk domains were not yet on their radar. The first people who had to deal with this, who were usually IT people (like me) or CIOs, had to work with what was available at the time. They put together a series of what, at the time, were best practices.
This meant a big questionnaire where you lay out all of the possible controls that might apply to a vendor based on an understanding of risk in the marketplace. They handed these over to their vendors and said, “I need you, as a vendor, to answer every single one of these questions.” In the absence of enabling technologies or data, it was really the only way to do it.
Unfortunately, I still often see these cases as a technology vendor. We have many relationships and some of them send us these questionnaires to complete. While it may seemingly work in the short-term, it won’t work at scale. Five years ago, you could possibly get away with sending a 500-question questionnaire to your top five IT vendors. You could review every single one of those answers on that questionnaire, creating an issue out of any “wrong” answers, and then chase those vendors to come up with corrective actions for those issues.
However, today, every company has dozens, or hundreds, or even thousands of third parties. Even medium-sized companies might have 200-300 IT vendors alone. This traditional methodology of sending everybody this massive audit-like questionnaire, reviewing every single answer in there, and then making a risk decision based on that, just doesn’t work with those kinds of numbers. This isn’t a trend that’s going to change, so you need to be able to scale.
The modern approach to due diligence means leveraging automation and third-party sources of information so that you can scale up. As we started to see other risk domains become important in third-party risk management like ABAC risk, financial due diligence risk, ESG risk, and data privacy risk, we found that risk managers who were already used to operating at scale inside their business were running those risk domain programs. They knew they needed to assess massive risks inside of their business, so they applied a lot of these automation best practices to their TPRM.
Using automation means having models. Having models means having analytical tools that can automatically make decisions for you, so you don’t have to review 500 answers and turn the 12 that are “wrong” into issues, then requiring corrective actions.
If you continue to try to run due diligence the manual (big questionnaire) way, it’s not so much that you’ll be doing all of this extra work; what’s going to happen is you’re just not going to assess that risk for most of those vendors. You’re not going to get all of the infinite resources that you need to do this. If you don’t leverage these modern techniques like automation and third-party data in order to scale your risk management process, your overall risk profile will go up because effectively, you’ll only be able to assess, with any accuracy, your top 10% riskiest or most strategic suppliers.
The solution is a system that, based on risk models, can automatically evaluate all inputs. And, in an exception-based manner, reveal what should be looked at with rare and valuable human insight.
In such a system, you get to scale by taking advantage of sources of third-party risk intelligence data, but the challenge is that without the model and associated automation and exception-based processing, it can make your program (and your problem) worse.
For your riskiest or most strategic IT suppliers, absolutely run them through a full, questionnaire-based diligence program and review all of their answers. The important part is to realize that this solution doesn’t scale. Using automation, model-based risk assessment and third-party data allows you to assess all of your IT suppliers and reserve your manual assessment effort for only the riskiest or most strategic, lowering your overall risk profile.
Share with Your Friends:
CUSTOMER PORTAL