Third-Party Risk Template Guide

Vendor Due Diligence Questionnaire Guide

How to structure a third-party risk questionnaire for financial services vendors: tiering, SOC reports, BCP, AI use, subcontractors, data, and evidence.

Built for financial services risk teams Includes fields + examples Updated May 2026
Buy Now — $69 → View Product Details Jump to Template Fields

Quick answer

A vendor due diligence questionnaire should include service scope, risk tier, data access, security evidence, privacy controls, business continuity, incident notification, subcontractors, financial condition, AI use, compliance obligations, and approval conditions.

Guide vs. template

This guide explains what belongs in the template. The paid template gives you the editable working files so you are not rebuilding from a blank page.

Paid template includes

  • Vendor risk tiering methodology
  • Due diligence questionnaire
  • Vendor risk scorecard
  • Contract risk review checklist
Buy $69 View Product Details

What is this template for?

A third-party risk questionnaire is the evidence collection tool used to decide whether a vendor can safely support your business. A good questionnaire is risk-tiered: critical vendors get deeper questions about security, business continuity, subcontractors, AI, data, financial condition, and regulatory exposure; low-risk vendors get a lighter review.

Who needs this

  • You are onboarding a new vendor that touches customer data, payments, operations, compliance, or core infrastructure.
  • A bank partner or examiner asked how you assess critical vendors.
  • Your vendor review process is the same for every vendor and creates too much noise.
  • You need to document why a vendor was approved, conditionally approved, or rejected.

Required template fields

If you only build one section first, start with these fields. They give buyers, auditors, and reviewers a concrete checklist of what belongs in the template.

Want the working version? Download the editable template instead of rebuilding these fields from scratch.

Buy $69 →
Field Why it matters Example
Vendor service description Defines what you are actually relying on. KYC verification API used during customer onboarding
Risk tier Determines depth of due diligence. Critical — customer onboarding would stop if unavailable
Data access Drives privacy, security, and breach-notification review. Name, DOB, SSN last four, transaction metadata
Security evidence Supports security control reliance. SOC 2 Type II, penetration test summary, vulnerability management policy
Business continuity / resilience Shows whether the vendor can keep operating during disruption. RTO/RPO, DR test date, incident notification SLA
Subcontractors Finds hidden fourth-party concentration. Cloud provider, data processor, offshore support vendor
AI or automated decisioning use Flags explainability, bias, data, and monitoring questions. Vendor uses ML to score fraud alerts or identity confidence
Approval conditions Makes conditional approvals auditable. Approved subject to annual SOC review and 24-hour incident notice

Example vendor questionnaire tiering

Critical vendor

Core payment processor with customer data access and 24/7 operational dependency.

Evidence required

SOC 2 Type II, penetration test summary, DR test results, incident SLA, subcontractor list, financial review.

Approval condition

Approved subject to annual SOC refresh, 24-hour incident notice, and exit plan review.

Implementation roadmap

1

Tier vendors before sending the questionnaire

Owner: Third-party risk or procurement lead

Output: Critical/high/medium/low tier with rationale

2

Send only the sections that match the tier

Owner: Vendor owner

Output: Right-sized questionnaire instead of one giant form for everyone

3

Review evidence, not just yes/no answers

Owner: Security, compliance, legal, and business reviewers

Output: Evidence-backed approval memo

4

Document residual risk and conditions

Owner: Vendor owner + risk reviewer

Output: Conditional approval, remediation items, or rejection rationale

5

Set ongoing monitoring cadence

Owner: Third-party risk owner

Output: Annual review, SOC refresh, SLA monitoring, incident escalation path

Ready to use it?

Download the Third-Party Risk Management (TPRM) Kit

Use the guide to understand the structure, or buy the editable template to move faster.

Buy Now — $69 → View Product Details

FAQ

What should a vendor due diligence questionnaire include?

It should cover service scope, data access, security controls, privacy, business continuity, incident notification, subcontractors, financial condition, compliance obligations, AI use, and approval conditions.

Should every vendor complete the same questionnaire?

No. Use risk tiering. Critical and high-risk vendors need deeper evidence; low-risk vendors should not get the same exhaustive questionnaire as a core processor or customer-data vendor.

What is the difference between third-party risk and vendor management?

Vendor management handles contracts, performance, and relationship operations. Third-party risk focuses on the risks created by relying on that vendor and the controls needed to manage those risks.