A Security Questionnaire, RFI, VRA (Vendor Risk Assessment), VR Management…helps customers identify and evaluate the risks of using a vendor’s product or service. Performing such a review is sometimes mandatory based on the industry (e.g. healthcare). During this standard business process, customer collects written information about security capabilities of a supplier and you could barely find suppliers or vendors or business associated that are interested to interact with this naturally revealing practice because they refuse to learn from it and ease the process so it remains stressful, time consuming and potentially exposing them to other risks like losing a contract.
But How to learn from vendor risk assessment and turn it to a tool to improve the business relation? The first step is to have a system to handle request, write a policy and come up with a strategy. A well-defined system will automatically lead you to better interaction and improve itself over time. Study questionnaires and normalize questions, find your flaws and rather than rush to fix them look for root causes and address them accordingly. Remember, all you have to do is managing risks, not necessary mitigating, so expectation of a full green 100% risk free business partnership is showing lack of understanding how risk works.