Optimising Third-Party Risk Management:

TPRM Questionnaires vs. Real-Time Monitoring or a Combination of Both?

As organisations increasingly rely on third parties for services, from IT to supply chain logistics, managing the associated risks becomes paramount. Effective Third-Party Risk Management (TPRM) ensures that these external relationships do not expose the organisation to undue financial, operational, regulatory, or reputational risks. The key challenge for risk managers and internal auditors is deciding how best to assess and monitor these risks.

Traditionally, questionnaires have been the go-to tool for assessing third-party risks, but the advent of real-time monitoring offers new possibilities. So, which approach is better? Should you rely solely on traditional questionnaires, adopt real-time monitoring, or use a combination of both? This article delves into the merits of each approach and argues why combining both may offer the most effective risk management strategy.

Third-Party Risk Management: A Strategic Imperative

The use of third parties introduces significant risks, such as cybersecurity vulnerabilities, regulatory non-compliance, and operational failures. To manage these risks effectively, organisations need robust methods for both assessing the risks before engaging with third parties and monitoring them on an ongoing basis.

Two common methods for managing these risks include sending TPRM questionnaires and employing real-time monitoring tools. Each has its benefits and drawbacks, but combining them can offer a more comprehensive, proactive, and efficient approach.

TPRM Questionnaires: A Traditional, Structured Approach

How TPRM Questionnaires Work

TPRM questionnaires are structured surveys sent to third parties, requesting information on their internal risk controls, policies, and processes. These surveys typically cover areas like:

• Information security:
• Security practices, encryption methods, and incident response plans.
• Compliance:
• Adherence to key regulations and standards such as GDPR, ISO27001, PCI-DSS, and HIPAA.
• Operational resilience:
• Business continuity plans and disaster recovery strategies.
• Financial stability:
• Assessing the third party’s financial health to ensure they can meet their contractual obligations.

Strengths of TPRM Questionnaires

• Customisation:
• Questionnaires can be tailored to align with your organisation’s specific risk management framework, offering deep insights into a third party’s risk posture.
• Documentation and Auditability:
• By documenting responses, questionnaires create an audit trail that demonstrates your organisation has undertaken due diligence—a crucial requirement for regulatory compliance.
• Comprehensive Assessment:
• Questionnaires cover a wide range of risk factors that are not always detectable through automated tools, such as governance, ethics, and operational frameworks.

Limitations of TPRM Questionnaires

• Static Snapshot:
• A major limitation is that questionnaires only offer a one-time snapshot of a third party’s risk profile. If a third-party experiences a security breach, incident, or operational issue after submitting the questionnaire, it won’t be reflected until the next review cycle.
• Self-Reported Data:
• Questionnaires rely on the accuracy and honesty of the third party. Vendors may overstate their capabilities or underreport vulnerabilities.
• Resource-Intensive:
• Managing questionnaires, especially for a large portfolio of third-party vendors, can be time-consuming. Vendors may also experience survey fatigue, leading to delayed or incomplete responses.

Real-Time Monitoring: Dynamic and Continuous Risk Insight

How Real-Time Monitoring Works

Real-time monitoring tools continuously scan third-party environments, systems, and behaviours for risk indicators. These tools often focus on specific risk areas like cybersecurity, financial health, and operational stability.

The data for real-time monitoring comes from various sources, such as open-source intelligence (OSINT), which collects data from over 400 resources, including internet-wide scanners. These tools analyse factors such as cybersecurity posture, technical vulnerabilities, and financial data to provide up-to-date insights.

Strengths of Real-Time Monitoring

• Proactive Risk Detection:
• Real-time monitoring tools provide dynamic insights, allowing organisations to detect risks as they emerge, rather than waiting for a periodic review cycle.
• Objective Data:
• Real-time monitoring relies on data-driven assessments, reducing the risk of vendor bias or misreporting. Tools such as MITRE’s Cyber Threat Susceptibility Assessment (CTSA) and Common Vulnerability Scoring System (CVSS) ensure that the results are both objective and standardised.
• Automation and Efficiency:
• Monitoring tools automate data collection and alert stakeholders when potential risks arise, reducing the need for manual intervention.

Limitations of Real-Time Monitoring

• Costly Implementation:
• Real-time monitoring solutions, especially those that track a wide range of risk factors, can be expensive to implement and maintain.
• Limited Coverage:
• While excellent at tracking cybersecurity and financial health risks, real-time monitoring tools struggle with subjective factors such as governance, compliance, and ethical practices.
• False Positives:
• Automated monitoring systems can generate false positives, which may overwhelm internal teams and cause them to lose sight of more critical risks.

A Hybrid Approach: The Best of Both Worlds

Given the strengths and limitations of both approaches, using a combination of questionnaires and real-time monitoring can offer a comprehensive and dynamic risk management strategy. Here’s why:

1. Comprehensive Risk Coverage

TPRM questionnaires allow for detailed assessments of areas like compliance, governance, and operational resilience, which are not easily captured by real-time monitoring tools. Real-time monitoring, on the other hand, provides immediate alerts on emerging risks, such as a cybersecurity vulnerability or financial instability. Using both ensures a broad coverage of risks, from technical vulnerabilities to regulatory compliance.

2. Enhanced Due Diligence

Questionnaires provide a deep, structured understanding of a third party’s internal controls, while real-time monitoring validates or challenges the vendor’s claims with live data. For example, if a vendor claims robust cybersecurity measures but real-time monitoring detects multiple vulnerabilities, this discrepancy enables risk managers to engage with the vendor for corrective action.

3. Ongoing Risk Visibility

Real-time monitoring offers continuous visibility into evolving risks, while questionnaires provide a solid baseline of risk factors at the onboarding stage. This combination ensures both proactive risk detection and in-depth periodic assessments.

4. Efficient Use of Resources

By employing a hybrid approach, risk managers can allocate resources more effectively. Questionnaires can be reserved for high-risk vendors, while real-time monitoring covers ongoing risks across a broader pool of third parties. This allows for a more efficient use of time and resources without compromising risk oversight.

5. Improved Regulatory Compliance

A combination of questionnaires and real-time monitoring ensures that both initial and ongoing risk assessments meet regulatory requirements. TPRM questionnaires provide the documentation needed for audits, while real-time monitoring proves that the organisation is continually vigilant.

Best Practices for Implementing a Hybrid TPRM Strategy

• Risk-Based Segmentation:
• Not all third parties pose the same level of risk. Use real-time monitoring to cover lower-risk vendors continuously, while applying detailed questionnaires to higher-risk vendors at key stages (e.g., onboarding or renewal).
• Integrated Platforms:
• Use an integrated platform that combines questionnaire assessments and real-time monitoring to provide a single view of your organisation’s third-party risks. This eliminates silos and ensures that insights from both methods are aligned.
• Automated Reporting:
• Automate report generation for both real-time monitoring and questionnaire assessments. Set up alerts for key stakeholders to review high-risk findings, enabling quick action where necessary.
• Regular Updates:
• Continuously update questionnaires to reflect new risks, standards, and regulations, and ensure that real-time monitoring is configured to track emerging risks, such as new cybersecurity threats or compliance changes.

The Power of Combining TPRM Questionnaires and Real-Time Monitoring

Neither TPRM questionnaires nor real-time monitoring are sufficient on their own to address the full range of third-party risks. However, when used together, they create a powerful, dynamic, and comprehensive risk management strategy. By combining the depth of questionnaire assessments with the agility and objectivity of real-time monitoring, risk managers and internal auditors can ensure that their third-party risk management efforts are both thorough and proactive.

This hybrid approach enhances visibility into third-party risks, optimises resource allocation, and strengthens the organisation’s ability to respond to both emerging and long-term risks, all while maintaining regulatory compliance. In an ever-evolving risk landscape, this combination offers the most effective means of safeguarding your organisation.