Business Continuity & Vendor Assessment – Tip #3 – Questionnaire Tips


Please find the third tip in my series on vendor assessment originally posted here on LinkedIn:

Text of the post below.

In the previous tip in this series on vendor assessment related to my presentation at DRJ Springworld 2017 (thanks DRJ!), I covered the idea that you need to partner with other areas in the enterprise to get your vendor assessment program started. In this tip, I want to share some ideas on how to craft a questionnaire that gets results. Many of you have reached out to me for sample questions. I am going to post some here and privately send some more out to folks who connected with me during the conference.

On a personal note, thank you to everyone who attended my presentation and for all the kind words! I am very glad that you all got something out of it and seemed to enjoy my speaking style. If you want anything else from me or would like me to speak at your conference / user group / etc. just reach out to me via LinkedIn. For those of you who have already reached out to me for sample questions, my sincere apologies for not getting those to you. My laptop gave me the “black screen of death” right after the conference! I am only now getting back up and running plus I need to “sanitize” some of the questions for public consumption. I will get them out as soon as I can.

The challenges faced today in assessing vendors includes many facets, including a “backlog” of vendors that are un-assessed and limited resources, perhaps the most insidious is determining the right questions to ask a vendor. What not to do is sometimes easier than stating exactly what to do and the first thing I would recommend is to NOT ask to see the vendor’s continuity plan(s). Why? Ignoring the fact that they might not anyway due to proprietary information within the plan, the plan will most likely not really help you determine anything. Every plan is different and chances are good you do not know their business well enough to even know if the plan is any good. Without that intimate knowledge, a plan to recover it will not give you what you want.

Instead, the idea here is to ask questions that you can do two things with: 

1. Turn them into an empirical number or score (or red, yellow, green rating). 

2. Focus on the items you are most interested in that give you an understanding of how seriously they take resiliency.

The first item allows you to easily communicate how likely it seems the vendor will be resilient in any disruption they might have. With a simple scale with colors, you can show the risk of going with that vendor. Backing it up with the vendor’s answers and a numerical point scale allows for fine tuning of the recommendation.

The second item is a bit more complicated because this is where you generate the questions and a point scale. The questions should include very specific questions that relate directly to your organization’s needs and general ones that cover the general areas of knowledge of resiliency. However, the questions are more effective if they “get at” resiliency rather than ask “are you good at” resiliency (the answer will almost invariably be “yes”). For example, a good question would be ask how many certified business continuity professionals do they have on staff or contracted with? A quick search on LinkedIn after their answer should give you an idea if they are being completely honest.

Here are some do’s and don’ts:

DON’T ask for their plans. They either will refuse or the plans will be very detailed which forces you to make value judgments based on you having to review all of them (two enormous time wasters).

DO ask for an executive summary if they have one. If they don’t have one, that may be a red flag.

DON’T ask open ended questions. Much like above, their answers will be time wasters and force you to make judgment calls.

DO ask questions that allow you to assign points quickly based on their answers. Yes/No or letter answers score very easily.

DON’T try to automate things right away. A simple document can be used to gather the information.

DO spend a little time focusing on the things you care about and asking more questions with that in mind.

DON’T accept answers from the sales person. This leads to incomplete answers and again, time wasted.

DO ask for the name and title of the person who filled out the questionnaire. Plus definitely ask for the name and title of the person they report to.

Once you have the assessment back and scored you can provide your recommendation back to the vendor selection committee or whoever needs it. If the vendor scores poorly I never say “no”. I will always provide the information and ask that someone sign off on the risk. If they are willing to accept the risk to the organization then they can engage with any vendor they like. However, they cannot say you didn’t warn them!

Hopefully these tips will help you get started with a vendor assessment questionnaire.  I plan on releasing some “generic” sample questions soon!