4 min reading Fri Oct 06 2023
Improving third-party risk management: The power of compact questionnaires
In today's global, interconnected business environment, third-party partnerships have become crucial for organizations worldwide to achieve success. While these partnerships provide valuable opportunities, they also expose companies to various risks. To protect their interest prudent companies prioritize third-party risk management (TPRM). As a result of NIS 2, increasingly more companies (we estimated around 100.000) will have to perform third-party risk management to comply with regulations.
However, the traditional approach of using standard frameworks, such as ISO, is proving less effective. In fact, we advise against using ISO or any other cybersecurity framework as the core of your third-party risk management. We recommend a focused approach.
If you have not yet started third-party risk management, read our blog post on getting started with third-party risk management. If you already have started and find it cumbersome, read on!
The challenge of third-party risk management
Third-party risk management involves assessing potential risks that arise when working with external partners, mostly suppliers. As organizations become more involved with a growing number of third parties, and as these interactions have become increasingly digital in nature, managing and mitigating these risks has become a complex task.
The conventional method of using large standard frameworks for risk assessments may seem a logical basis for third-party risk management, but it has its limitations. These frameworks often consist of an exhaustive list of questions, many of which do not directly address the specific nature of the third-party relationship, or the unique risks involved. As a result, companies end up investing excessive time and resources in going through a plethora of questions that have minimal impact on risk analysis. And imagine the daunting task of your third-party provider answering this list of questions, ... for each of their clients.
The importance of precision: compact questionnaires with relevant questions
A change in mindset is taking place in third-party risk management. Companies are recognizing that precision is crucial to effective risk assessments. Rather than relying solely on comprehensive standard frameworks, it is proving more useful to use compact questionnaires with relevant questions tailored to the specific context of each third-party relationship.
1. Efficiency and focus: Compact questionnaires allow organizations to focus on key risk areas and eliminate unnecessary distractions. By focusing only on the most relevant aspects, risk analysts can streamline the evaluation process and focus their efforts on those aspects that matter most. This approach saves time and resources, speeding up decision-making and allowing suppliers to respond more quickly.
2. Improved relevance: Tailoring the questionnaire ensures that the questions asked are precisely tailored to the nature of the collaboration and the associated risks. This relevance leads to a more accurate identification of the risks posed by the collaboration. This relevance leads to a more accurate identification and assessment of risks, resulting in a better understanding of potential vulnerabilities.
3. Improved collaboration: The use of a smaller, customized questionnaire encourages open communication and collaboration with third parties. If partners perceive that the assessment respects their time and applies directly to their operations, they are more likely to cooperate meaningfully and provide accurate answers.
4. Flexibility and adaptability: Relationships with third parties are fluid and risks may change over time. Compact questionnaires offer more flexibility in adapting to change, making it easier to update and improve the assessment process as the partnership progresses or new risks arise.
5. Ease of Interpretation: Long questionnaires can overwhelm both risk analysts and involved third parties. Smaller, focused questionnaires present information concisely, facilitating interpretation and effective action by all parties involved.
Certifications are important… to make questionnaires even more compact
Certifications are relevant. If a supplier is ISO 27001 or IEC 62443 certified, or has a SOC 2 report (for SOC 2, which is less rigid than ISO, there is no formal certification. Instead, organisations ask an independent auditor to report on the extent to which an organisation has implemented its SOC 2 controls), this means that many security aspects have been considered in their operations. As a result, they may qualify for an (even lighter) questionnaire.
In many cyber security domains, there are frameworks and standards that do not have a certification process (such as ISO) or audited reporting process (such as SOC). This is the case for GDPR, NIST, CIS and several other useful frameworks. For these frameworks, self-assessments, especially if signed off by an executive of the company, can be considered an exemption to questions or questionnaires. After all, answers to self-assessment questionnaires you are submitting to suppliers are not audited either (by default, they could however serve as a basis for a future independent audit).
When it comes to third-party risk management, precision and relevance take precedence over completeness. This will become even more important when the NIS 2 regulation comes into force in EU member states, exploding the number of third-party risk assessments.
While established frameworks such as ISO provide valuable guidance, companies should also consider supplementing them with concise questionnaires that cover relevant topics specific to the context of each partnership. In this way, companies can streamline their risk assessment processes, improve collaboration with third parties and ultimately strengthen their risk management strategies. Embracing this flexible and focused approach will contribute to a sound collaboration between companies on cyber security, and this will ultimately contribute to the resilience of organizations in today's ever-changing business landscape.
Jimmy is the founder, CEO and CTO of Ceeyu. Prior to founding Ceeyu, Jimmy was responsible for cybersecurity programs at large financial institutions and consulting company EY. Jimmy started his career as a security engineer. His duties included installing and managing firewalls, scanning infrastructure for vulnerabilities, and performing pen testing and ethical hacking.