RAJITA NAIR, 25 August 2020
One of the main hurdles in any assessment cycle is receiving responses from vendors. This step is a bottleneck in an otherwise smooth process. Our expertise and experience – conducting thousands of assessments every year, understanding the delays, and putting processes in place to avoid them – is how we have managed to keep the process seamless.
While there is no magic formula (that we know of) for speeding up the process, some practices, like sending a questionnaire that is relevant to the services provided by the vendor, are always recommended. In this blog, I will share these and similar methods.
For reference, in this blog, we want to show you the general trends we have seen when it comes to response time. We have picked two types of assessments to demonstrate this. The Company A questionnaire is a detailed one, while Company B’s questionnaire is relatively less in-depth. This variation is intended to show the trend we have seen, based on 1200 assessments for companies across different sectors and geographical locations.
1) Questionnaire size
There is a strong correlation between the number of questions asked and the completion time. While that may seem obvious, the correlation is not linear. Also, you can check for the same number of controls without adding more questions.
An innovative solution to this problem is to consolidate the questions in control groups. This reduces the total number of questions without reducing the number of controls assessed. A bulleted list is an excellent way to get the required answers.
For example, instead of asking the following “Asset Management”-related questions:
A. Do you have Control 1?
B. Do you have Control 2?
C. Do you have Control 3?
A) Check all the controls implemented for Asset Management.
- Control 1
- Control 2
- Control 3
We have successfully used up to 8-10 data security controls under 1 question and have seen a better response time as a result. This showed us that there is a strong correlation between questionnaire size and vendor response time.
This chart shows the time required to close out reports from initiation to delivery of the final report. The X-axis represents the number of days in which the assessments were completed. Each unit is 5 days. The Y-axis represents the number of vendors completing the assessment.
As you can see, only 11 vendors completed the long assessment in 10 days, whereas 23 vendors completed the short assessment in 10 days.
2) Automated email reminders vs. Personalized email
We found that an automated reminder, though necessary, did not motivate the vendors to respond on time. Instead, we have seen that an initial kickoff call following an introductory email from a named individual translated into a faster response—almost 1.5 times faster!
We also found that a constant display showing how many answers have been completed helped in completion. Interestingly, vendors appeared to slow down their answering after completing around 80% of the assessment. However, once we started following up with a reminder saying “You are almost 80% done with your assessment. Please remember to finish the remaining 20%”, the completion speed was improved.
3) Email is sent by the Business Sponsor vs. IT Security or a 3rd party
When the Business Sponsor sends an email, versus an email sent from IT Security or a 3rd party, the delayed responses are typically completed within a couple of days instead of a multiple-week delay. Leveraging the Business Sponsor early in the assessment life cycle has resulted in faster response times from the vendors. We have encouraged our Business Sponsors to give a gentle nudge during their regularly scheduled calls with their suppliers. It has never hurt and has always helped us.
I hope you find these nuggets of information and simple pointers helpful in your own analysis process. We are always happy to help with your TPRA requirements at ComplyScore!