RANT Roundtable in partnership with Diligent

Supplier questionnaires are still the primary mechanism for assessing and managing third-party risk. But there’s good reason to be sceptical about their efficacy.

Were the questions you posed clear, concise and relevant? And can you really trust the answers? You send out a comprehensive questionnaire, and the supplier’s responses look reassuringly complete — until you notice they’re copy-pasted from last year’s assessment, despite significant changes to their IT environment. Even when answers are current, they have a shelf life: within six months, that ‘low-risk’ supplier may have migrated to new cloud infrastructure, experienced staff turnover, or faced emerging threats that render your assessment obsolete.

And then there’s the resource challenge. Security teams are drowning in questionnaires, lacking the time and capacity to thoroughly review hundreds of generic responses. Critical risks get lost in a sea of tick-box compliance exercises. But perhaps the biggest missed opportunity is treating questionnaires as a compliance endpoint rather than a collaboration starting point. The goal shouldn’t be to simply collect completed forms and file them away. Instead, questionnaires should open a dialogue — a chance to understand your supplier’s actual security posture, identify gaps together, and work collaboratively to strengthen defences on both sides. When security programmes shift from an adversarial ‘audit mentality’ to a partnership approach, both parties benefit. Your suppliers get valuable insights to improve their security maturity, and you build more resilient third-party relationships based on transparency and continuous improvement.Today’s fast-moving technology and threat landscape means point-in-time appraisals, by themselves, are no longer enough.

In an ideal world, your due diligence approach to suppliers should be as dynamic as the risk you need to manage.

The first step is to understand the criticality of each supplier. Then you can build out an appropriate third-party risk management (TPRM) programme.

That’s not to say questionnaires aren’t useful. When used correctly, they can provide a great starting point for TPRM initiatives. But equally they’re not a silver bullet. Too often they’re designed as a one-size-fits-all exercise. Questions might be overly long and complex — and not appropriate to the level of supplier risk involved.

A better way may be to complement security questionnaires with other assessment methods, such as real-time news monitoring, security ratings, and on-site visits. By combining multiple data sources, it’s possible to build a more accurate, multi-layered view of third-party risk.

To find out more, join Diligent and a select group of cybersecurity and risk leaders for an evening of insight and discussion. Hear how your peers are managing the challenges of TPRM. And how AI-powered tools can do more of the heavy lifting, to reduce “questionnaire fatigue” and support real-time monitoring.

It’s time to reduce compliance grind and focus on managing risk.