on - edited by
Shimoli Gandhi
Tiering Assessments and Inherent Risk Questionnaire (IRQ) help organizations apply the right level of due diligence based on the risk a third party poses by defining the scope and aiding in prioritization. These tools are essential in building a scalable and risk-based Third-Party Risk Management (TPRM) program.
At an early stage, risk tiering offers a basic framework for classifying third parties by criticality or potential risk, such as Tier 1 – High or Critical third-party, Tier 2 – Medium, Tier 3 – Low. It’s often a manual process but it provides a useful starting point to ensure that not all vendors are treated the same.
As programs evolve, inherent risk questionnaires (IRQs) introduce a more structured and consistent method. Using an internal questionnaire, you engage your business users to answer a set of intake questions that capture the third-party engagement, such as data type and sensitivity, access levels, geographical and/or regulatory exposure, financial impact, and other operational impacts.
The IRQ responses generate a risk score using a configurable scoring model, which in turn defines the scope and frequency of due diligence activities. This gives risk teams visibility into risk at both an organizational and enterprise level.
IRQs are useful in defining the scope of the due diligence, as shown in these examples:
- Is the total investment greater than $50K? A financial due diligence questionnaire can be sent.
- Does the third party interact with government officials? Depending on the country/region, an anti-corruption questionnaire can be sent.
- Does the third party have access to organizational data? Different conditional questions can be sent, such as a HIPAA compliance questionnaire for healthcare data or a GDPR compliance questionnaire for EU data.
The IRQ process complements risk tiering assessments. While a tiering assessment depends on external questionnaires based on the risk tier, an IRQ can dynamically trigger external questionnaires based on both the respondents' answers and the risk tier. This information enables your risk teams to focus their resources on higher-risk relationships.
To transition from risk tiering assessments to IRQs in TPRM, you can duplicate existing tiering assessments and designate them as IRQ internal assessments. We have resources below for you to learn more about both assessment types.
🆕 New in Zurich: Smart Assessment Engine makes it easier to navigate assessments, apply templates, and break down questions into sections. You can now collaborate on third-party assessments and normalize scores for consistent reporting. The third-party portal has also been upgraded to fully support Smart Assessments.
Demos
- Speed Learning - Risk Tiering and IRQs to prioritize third-party risks (PPT attachment below)
- Speed Learning – TPRM Architecture and Data Model (PPT attachment below)
- Speed Learning - Risk Scoring (PPT attachment below)
- What’s new in TPRM (Vancouver) – Time stamp: 15:55 - 19:20
- Vendor Risk Overview Demo – Time stamp: 5:32 - 9:02
Resources
- TPRM Process Guide
- Product Documentation
Convert risk tier assessments to IRQ assessments
Assessing your third-party risk
FAQs
What role does an IRQ play in the overall third-party risk management process?
The IRQ assesses the inherent risk associated with engaging a third-party vendor with contributions by the business owner or internal contact. It helps the risk team determine the level of due diligence required by analyzing factors such as the nature of the engagement, data sensitivity, and regulatory implications.
Who is responsible for completing the IRQ after a due diligence request is approved?
An internal contact, typically the business owner, is assigned the task of completing the IRQ. Their answers provide insights into the potential risks of the third-party engagement.
What steps does the internal contact follow to respond to an IRQ?
The internal contact will be notified of the IRQ request in the Employee Center (All > Self-Service > Employee Center). They select 'Surveys' from the 'My active items' pane and complete the questionnaire. If you do not have Employee Center, the survey can be sent via email.
Can the IRQ process be customized to my organization’s needs?
You can add or modify questions, adjust scoring methodologies, or define custom workflows that align with your own criteria and requirements.
What happens after the IRQ is submitted?
The responses are reviewed, and an inherent risk score is generated. This score recommends the level of due diligence and monitoring necessary for the third-party relationship.
Is it possible to reassign an IRQ to a different internal contact?
You can reassign the IRQ by visiting the Risk overview tab on the Inherent risk assessments page.
How does the IRQ process integrate with the due diligence workflow?
The IRQ process is a preliminary step in the due diligence workflow. By analyzing the inherent risk scores, risk teams can undertake appropriate due diligence activities to manage third-party risks.
What is involved in converting risk tiering assessments to IRQ assessments?
Converting to the IRQ format is recommended. Unlike a tiering assessment where external questionnaires are determined solely by the risk tier, an IRQ can dynamically trigger external questionnaires based on both the respondents' answers and the risk tier. It provides a more nuanced approach to vendor risk analysis in the TPRM workspace. For details on converting between the formats, visit Convert risk tier assessments to IRQ assessments.
