The SIG Questionnaire Explained: What It Is, What It Misses, and What Actually Catches Vendor Risk

What the SIG Questionnaire Is (And Isn't)

The SIG — Standard Information Gathering — questionnaire was created by the Shared Assessments Program, a consortium of financial institutions that got tired of every bank using a different vendor due diligence form. In 2003, major banks standardized their questionnaire into a single document. The SIG is now the most widely used third-party risk questionnaire in the world, particularly in financial services and healthcare.

Every year, procurement and third-party risk teams send the SIG to vendors and wait for a completed spreadsheet in return. The vendor fills it out. An analyst reviews it. A risk rating gets assigned. The vendor gets onboarded. Repeat in 12 months.

If you run a TPRM program, you almost certainly know this workflow. It is the dominant operational model for vendor due diligence across financial services, healthcare, and enterprise technology.

There is one problem: the SIG does not measure the risk most likely to actually hurt you.

SIG vs. SIGlite: Which One to Use

The Shared Assessments Program publishes two versions:

SIG Core is the full questionnaire. It covers 19 risk domains with hundreds of questions. A complete SIG Core submission can run to 1,400 questions depending on scope. For critical vendors — those who touch sensitive data, core operations, or regulated functions — SIG Core is the right tool.

SIGlite is the abbreviated version. It covers the same 19 domains with roughly 125 to 150 questions per recent releases. Most organizations use SIGlite for Tier 2 and Tier 3 vendors, or as a first-pass screen before asking higher-risk vendors to complete SIG Core.

Which version to send depends on your vendor tiering. Critical vendors processing sensitive data or running mission-critical systems warrant SIG Core. Vendors with more limited access or exposure can start with SIGlite. Many TPRM programs use SIGlite as a filter to identify which vendors need the full SIG Core.

The 19 Risk Domains

The current SIG covers these risk domains: Enterprise Risk Management (A), Security Policy (B), Organizational Security (C), Asset and Info Management (D), Human Resources Security (E), Physical and Environmental (F), IT Operations Management (G), Access Control (H), Application Security (I), Cybersecurity Incident Management (J), Operational Resilience (K), Compliance and Operational Risk (L), Endpoint Device Security (M), Network Security (N), Privacy (O), Threat Management (P), Supply Chain Risk Management (Q), AI Risk (R), and Financial and Operational Risk (S).

Count the financial risk domain: one section out of nineteen. That ratio is the issue.

What the SIG Actually Catches

The SIG is well-designed for what it was built to do: assess whether a vendor has documented security policies, operational controls, and compliance processes. For a financial institution evaluating whether a software vendor meets baseline security standards, the SIG is a reasonable starting point.

It catches whether a vendor has a documented incident response plan, whether they conduct regular penetration testing, whether they have a business continuity policy, whether their third-party subcontractors go through their own due diligence, and whether their access controls meet common standards.

Platforms like OneTrust, ProcessUnity, and Venminder are built primarily around managing and automating this questionnaire workflow. Send the SIG, track completion, store the results, flag exceptions. These platforms do that job well.

What neither the SIG nor any questionnaire-centric platform catches is a vendor's financial position. And financial failure is the risk category most likely to leave your supply chain in pieces.

The Financial Blind Spot in Every SIG Response

Section S (Financial and Operational Risk) asks vendors to confirm whether they have audited financial statements, whether they track vendor concentration risk, and whether they have a process for managing financial disputes. These are process questions, not financial health questions.

A vendor can answer every financial section correctly while their DSO is climbing, their revolving credit line is maxed, and their accounts payable days are stretching in ways that signal a cash crunch. None of that shows up in a SIG response.

Three realities make this worse:

Self-reporting bias. The vendor fills out the SIG. A distressed vendor fills it out the same way a healthy vendor does, because the questions ask about processes, not current state. "Do you have audited financial statements?" The answer is yes — from last fiscal year, when the business looked fine.

Annual cadence means stale data. A vendor can pass a SIG in January and file Chapter 11 in September. Those nine months are entirely unmonitored under a questionnaire-only model. Harvest Sherwood Food Distributors collapsed without the kind of early warning signals that financial monitoring would have surfaced. Their trade creditors found out when payments stopped.

Financial stress precedes operational failure. When a vendor is financially distressed, their security controls degrade — fewer security staff, delayed system patches, reduced vendor management. The financial signal is often the leading indicator for operational risk, not a parallel category. The SIG's structure, by treating them as separate domains, misses this relationship entirely.

The Timing Problem

An annual questionnaire produces a lagging assessment by design. Vendor risk doesn't happen on a schedule. Financial distress develops over quarters. Trade payment delays show up months before a bankruptcy filing. Leadership changes, covenant breaches, and deteriorating margins all create observable signals long before a vendor misses a delivery.

By the time a vendor's SIG shows financial distress, your procurement team already has a problem. The SIG tells you what happened. Continuous monitoring tells you what is happening now.

Some platforms have tried to address this by layering ongoing monitoring onto questionnaire workflows. But the core model in questionnaire-centric TPRM — analyst hours reviewing submitted documents — is slow, expensive, and built for the compliance documentation requirements of regulated financial institutions rather than for operational speed.

What to Layer on Top of a SIG

The SIG should stay in your vendor risk program. It covers the cyber and compliance domains that your information security team needs documented. It satisfies regulatory requirements in financial services. It creates a paper trail that auditors expect.

What it cannot replace:

Financial health monitoring. Continuous visibility into vendor payment behavior, trade credit data, lien filings, and public credit signals — not annual questionnaire responses. The signals that predict vendor failure are financial signals, and they are available continuously.

Early warning on distress. Bankruptcy predictors include accelerating days payable outstanding (DPO), UCC lien activity, supplier concentration in a vendor's own customer base, and trade reference deterioration. None of these appear in a SIG response. Vendor financial risk monitoring surfaces these signals in real time across your portfolio.

Separation of what vendors say versus what the data shows. A SIG is self-reported. Financial data is not. Bank payment behavior, trade credit histories, and public filings do not depend on vendor cooperation.

The combination that actually works: SIG or SIGlite for security and compliance documentation, plus continuous financial monitoring for the risk category most likely to disrupt operations. Running a SIG without the financial layer is like checking whether your vendor's fire suppression system is certified while ignoring whether they can make payroll next month.

How to Use SIG Results in Your Vendor Risk Program

Use SIG responses to set initial risk tiers. Vendors with material exceptions in security, compliance, or operational resilience domains move to enhanced monitoring. Use that tier assignment to determine monitoring frequency and depth going forward.

Weight Section S exceptions differently. Financial and operational risk exceptions should trigger an immediate financial health review — not just a follow-up questionnaire. If a vendor can't confirm audited financials or has unresolved audit findings, that is a real signal, not an administrative gap.

Map SIG timing to your financial monitoring cadence. Annual SIG completion plus continuous financial monitoring creates a defensible program. The SIG anchors your compliance documentation. Financial monitoring provides the between-review coverage that questionnaires structurally cannot.

Build financial health criteria into your vendor tier definitions. Critical vendors should meet a financial health threshold, not just a security questionnaire score. Revenue stability, credit history, and concentration risk belong in your tier 1 criteria alongside SOC 2 certification and penetration testing cadence.

The Bottom Line

The SIG is a useful tool for a specific job: documenting vendor security controls and compliance processes. It is the industry standard for that job for good reasons.

It is not a vendor risk assessment. It is a vendor risk questionnaire. The difference matters. A questionnaire captures what a vendor reports about their processes. A risk assessment combines that input with objective data about the vendor's actual condition — financial health, payment behavior, operational signals — and produces a current view of risk, not a year-old snapshot of policies.

Most TPRM programs stop at the questionnaire. That gap is where supply chain disruptions live. The vendor that passes every SIG question in Q1 and misses your critical delivery in Q3 did not fail your questionnaire process. They failed because nobody was watching the financial signals between reviews.

For continuous vendor financial risk monitoring — not annual questionnaire snapshots — see how Credit Pulse approaches vendor financial risk.