By Kelly White | May 8, 2018
The more questions you ask in your third party assessments, the higher the cost. But how much does an extra question really cost? And what is its value?
In late 2017, we at RiskRecon explored this issue as part of a detailed study in which we analyzed the third-party cyber risk management practices of thirty firms. Let’s walk through a few of the study data points that led us to the answer.
We asked our respondents how many cyber-risk relationships each analyst at their firm manages. The answer varied by sector; for example, Finance and Insurance companies assigned 73 vendors per analyst, Healthcare firms assigned 93 vendors per analyst, while Technology companies assigned 133 vendors per analyst – a big difference.
Figure 1: Number of third-party cyber risk relationship managed per analyst
We also asked how many questions each respondent company had in their third-party assessment questionnaire. Finance and Insurance asked a whopping average of 283; Healthcare asked 186, while Manufacturing and Technology were both under one hundred questions.
Figure 2: Number of questions asked in the assessment questionnaire
Combining the two data sets, we can clearly see there is an inverse relationship between the number of questions in the questionnaire and the number vendor relationships an analyst can manage.
The Cost per Question
It turns out that vendor questionnaires have some pretty decent economies of scale—the more questions you ask, the lower the cost per question. To project that cost, we have to extend our data set with a couple of safe assumptions. First, assume the fully-loaded cost of an analyst is $120,000 per year. Second, assume each vendor is assessed on average every two years. On a cost per vendor assessed basis, Finance is inefficient relative to other sectors. However, on a cost per question basis, Finance is actually much more efficient.
These are modest numbers. In practicality, the fixed cost of initiating the questionnaire is the most expensive aspect of the survey effort. Then there is a small marginal cost to each incremental question. But questions aren’t really the point, are they? Good risk outcomes are the point. In your vendor questionnaires, ask only the questions that you must, but do ask them. Their value can be significant.
Consider the old adage that for want of a ten cent part, the bigger system was lost. As your data is entrusted to more and more external parties, increasing the rigor – such as asking the questions that need to be asked – of your compliance instruments just makes good dollars and sense.