Another option would be to perform "stacking". While a SIG (just an example) may not give you enough reasonable assurance (depending on supplier criticality, etc.) What if you were to add to your documentation that you also have a clean SOC and a verbal conversation with the supplier SME regarding the control in question. By stacking different/multiple items together, you have more of that reasonable assurance that the control is in place. Document what you verified and what the supplier would not share. Then, if possible, write up a statement noting how you reached a reasonable assurance by stacking multiple items. Thank you.
------------------------------
Marlon Stone
------------------------------
Original Message:
Sent: 01-24-2025 09:17 AM
From: Jessica Alford-Hayes
Subject: Vendor Response to Questionnaires
We follow a risk based approach, asking appropriate questions depending on what the supplier does for us and their business cirticality but we also find the response rate to be very low.
What does everyone do when it comes to ongoing due diligence (refreshes) when their suppliers do not respond? what course of action do you take?
Original Message:
Sent: 01-22-2025 09:31 AM
From: Mark Ewert
Subject: Vendor Response to Questionnaires
We are very selective in the vendors that are required to answer questionnaire, provide a SOC report, and/or financials. First, we don't have the staff to read all the information contained so we limit it to our critical vendors only. Second, The information requested is based on the risk factor that made them critical. For example, if replacement difficulty is the only critical factor, we only request financials. If it is access to our environment, we don't ask for anything because that is on us. We control our security/access. We only ask for a SOC 1 when the vendor directly impacts our financials.
When you implement controls on what you are requesting, your success rate will be much higher. A shotgun approach only makes more work for your team and may frustrate your vendors.
------------------------------
Mark Ewert, CPCU, CIC
Director Vendor Management
Penn National Insurance
Original Message:
Sent: 01-21-2025 11:23 AM
From: Debbie Maxwell
Subject: Vendor Response to Questionnaires
Hey all - we recently pulled a report to get a good idea of how many vendors respond to our due diligence questionnaire. We have close to a 50% response rate, but when we break it down to our critical vendors it is below 20% that will respond, with the rest only providing documents (or portal access) and possibly their SIG. I'm curious what is your experience and response rate? If you have higher than 50%, what do you feel makes your response rate successful?
TIA!