The Vendor Risk Management (VRM) module in KnowBe4's KCM Governance, Risk, and Compliance (GRC) platform is available under Platinum subscriptions. The VRM module provides a centralized location to help you assess and manage the risks introduced when using third-party organizations or vendors.
This article provides instructions for creating vendor questionnaires with custom questions or using the industry-standard questionnaire templates provided, how to configure questions so vendors can be scored on their responses, and how to send the questionnaires to your vendors.
As a best practice, we recommend creating your questionnaires as the first step of onboarding with the VRM module. See our Vendor Risk Management Module: Introduction Guide for the full suggested order of workflow when onboarding with your VRM module.
Use the jump links below to learn more about creating, configuring, and sending vendor questionnaires from your KCM GRC VRM module.
Pre-Assessment and Planning
As part of your vendor, or third-party risk management program, before onboarding with your VRM module, your team may want to identify the types of questionnaires you'll need to build for the various vendors or third-parties you work with.
The KCM GRC questionnaire builder allows you to construct questionnaires from custom "free-form" questions, or use questions from the industry-standard templates offered in the console. You can also create questionnaires using a combination of free-form questions and questions from templates.
You'll create your vendor questionnaires from the Questionnaire List section of your console. You'll use the questionnaire builder to create fully-custom questionnaires, use questions from the industry-standard templates provided, or create questionnaires composed of both free-form questions and questions from the templates.
Follow the steps below to create a questionnaire.
- Navigate to the Questionnaire List section of your console by clicking Vendor Management, then Questionnaire List from the navigation panel on the left-hand side.
- Click the Create New Questionnaire button toward the top-right of the Questionnaires List page.
- From the New Questionnaire page, add the details outlined below:
- Give the questionnaire a Name. The vendor will be able to see the questionnaire name in the email notification they'll receive when you send the questionnaire, and they'll also see it when they log in to your vendor portal to work on the assessment.
- Give the questionnaire a Description. The description is only visible to the user(s) working in your VRM module. The Description field has a 2500 character maximum.
- Select a Type. Select Public for external vendors or Internal for internal departments.
- From the Available Questions portion of the page, begin creating your free-form question entries, or add questions from one or more of the templates provided.
See the sections below for details on the different methods of adding questions:
Adding Questions from Templates
You'll add template questions from the Available Questions section of the New Questionnaire page, as referenced in step 4 from the section above. Follow the steps below for instructions.
- Click the + Questionnaire Templates button at the top-right of the Available Questions section of the page.
- From the Questionnaire Templates page, use the checkboxes on the left-hand side to select one or more templates to choose questions from.
- Click the Save button on the right-hand side to add the template to the questionnaire builder.
- The Available Questions section of the page will now show an additional tab for each template you've selected to work with. Click the template tab to add questions from the template(s) to your questionnaire.
- Use the checkboxes under the Question Sets column to select the questions you'd like to add. Use the pagination at the bottom of the template tab (shown below) to navigate through all of the questions offered in the template.
The template may consist of more pages than the numbers displayed in the pagination panel. Use the right arrows to navigate through the entire template.
- After selecting the desired questions from the template(s), add any free-form questions you'd like at this time (see the Adding Free-Form Questions section below for details).
- Once you've added all desired free-form and template questions, click the Next button at the bottom of the template tab.
Once you click the Next button you will not be able to add additional questions to this version of your questionnaire. Ensure you've added all questions before clicking this button.
Next, you will configure your questionnaire by assigning a point value to the questionnaire answers. Skip to the Configure Questionnaire Points section below for details.
Adding Free-Form Questions
You can create custom questions and specify the types of answer formats the assessee–or the individual completing your questionnaire–can respond with.
Follow the steps below to create custom questions.
- Use the Type your question field to type the question. Then, click the checkmark icon button (or Return/Enter on your keyboard) to add the question and form its answer option.
If you need to add a large number of free-form questions, you may want to optimize the workflow by adding all questions at once and forming the answers afterward.
- Use the Type drop-down menu (shown below) to select the type of answer that the questionnaire assessee will respond with:
- Free Form Text: Provides a blank field that the user must fill (user cannot leave this field blank).
- Multiple Choice: Specify the number of answer options and the text for each option. There must be at least two answer options for multiple choice questions. Then specify which answer is correct, using the radio buttons under Correct Answer, on the right side of the page (user can only choose one answer).
- Checkbox: Specify the number of answer options and the text for each option (user can pick one or more answers).
- Yes / No / N/A: Provides radio buttons for the user to select from. Specify which answer is correct, using the radio buttons under Correct Answer (user can only choose one answer).
- To add another question, repeat steps one and two until you've added all necessary questions.
- Ensure you've added all questions, then click the Next button to add the questions to your questionnaire.
Next, you will configure your questionnaire by assigning a point value to the questionnaire answers, see the next section.
Configure Questionnaire Points
Once you've added the desired questions to your questionnaire, you will configure the assessment by assigning points to each question. The points are used to score the assessment once your vendor completes it.
After you assign points to each question, you will mark the questions as "configured". Then, they must be reviewed once more before they can be sent.
Follow the steps below to assign points to your questions.
- If you're not already working in your questionnaire, navigate to the Questionnaire List by clicking Vendor Management > Questionnaire List from the navigation panel on the left-hand side.
- Click on the name of the questionnaire needing attention.
- Click the Configure button under the Questionnaire Versions section of the page.
- Review each question and assign a weighted number in the Points field on the right-hand side.
Alternatively, you can set the same number of points for all questions using the Points field at the top. Enter the number of points, then click the Set Points button.
- Ensure you've added points to all of your questions by toggling through the question sets on the left-hand side.
When using questions from a template, they are grouped into Question Sets in your VRM module's questionnaire builder. The Question Sets correspond with the categories in the governing questionnaire template.
- Once you've assigned points to all of your questions, click the Mark as Configured button toward the top-right of the configuration portion of the page.
Now, as a final step before you can send the questionnaire, the questions must be marked "reviewed". Depending on your organization, your supervisor or another individual on your team may need to perform the review. Skip to the Review and Finalize Questionnaire section below for instructions.
Review and Finalize Questionnaire
As a final step before sending a questionnaire, a Vendor Administrator or an Account Administrator must mark the questionnaire as "reviewed". Follow the steps below to review the questionnaire.
- If you're not already working in the questionnaire, navigate to the Questionnaire List by clicking Vendor Management > Questionnaire List from the navigation panel on the left-hand side.
- Click on the name of the questionnaire that needs to be reviewed.
- Click the Review button under the Questionnaire Versions section of the page.
- From the Questionnaire - Configure Answers page, review all of the questions by toggling through each of the question sets on the left-hand side of the page.
- Once you've reviewed the questions and the points assigned to each, click the Mark as Reviewed button toward the top-right of the configuration portion of the page.
The template is now finalized and ready to be sent to your vendor. Skip to the Sending Questionnaires to Vendors section below to learn how to send your questionnaire.
Sending Questionnaires to Vendors
Before you send a questionnaire, you must create a vendor profile and user account for the vendor contact who will complete the assessment. See Adding Vendor Profiles to your Vendor Risk Management Module and Add Vendor User Accounts for instructions.
You'll send questionnaires from the vendor's profile in your KCM GRC account, see the steps below for instructions.
- Navigate to the Vendor List area of your console by clicking Vendor Management > Vendor List from the navigation panel on the left-hand side.
- From the Vendor List page, click the vendor's name under the Name column to open their vendor profile.
- You must change the Vendor Status to Active before you can send a questionnaire. Click the Edit button at the top-right of the Vendor Details - [[Vendor Name]] page.
- Locate the Vendor Status drop-down menu on the left-hand side and select Active, as shown below.
- Click the Save button at the bottom-right of the Organization Details section of the page.
- Then, in the middle portion of the Vendor Details page, the Available Questionnaires tab will be selected by default. Your finalized questionnaires will be listed here. Use the Send Questionnaire buttons on the right-hand side to send the corresponding questionnaire.
- You'll be prompted to select a Schedule Frequency, Start Date, and End Date. See below for details.
- Schedule Frequency: Choose a frequency from the drop-down menu to determine how often you want this questionnaire to be automatically sent to your vendor.
- Start Date: Define the date you want the questionnaire schedule to begin.
- End Date: Define the date you want the questionnaire schedule to end. This means the vendor will no longer receive the questionnaire on a recurring frequency after this date.
If you would only like to send the questionnaire to the vendor one time, select any Schedule Frequency and put tomorrow's date in the End Date field. The questionnaire will not be sent after the End Date.
- Click the Schedule button to send the questionnaire to the vendor contact.
Clicking the Schedule button will immediately send the questionnaire to the vendor contact's vendor portal, and also send an email notification to the vendor contact.