Vendor Risk Questionnaire: Free Template + What It Actually Catches

What Most Vendor Risk Questionnaires Actually Measure

A vendor risk questionnaire is a structured document you send to suppliers asking them to self-report on their security posture, compliance status, operational resilience, and financial health. It's the primary intake mechanism for most vendor due diligence programs.

The problem: most questionnaires are 80% security and 20% everything else. The SIG Questionnaire — the most widely used template in enterprise vendor risk programs — runs to hundreds of questions, the majority of which focus on IT controls, data handling, and regulatory compliance. That's not an accident. It reflects how TPRM evolved: as a response to data breaches, not supply chain disruptions.

Platforms like OneTrust, Archer, and ProcessUnity were built to manage questionnaire workflows. They do that well. What they don't do is flag a supplier whose receivables are deteriorating, whose key banking relationship just changed, or who filed a UCC lien against their own assets three months ago. Those signals don't live in a questionnaire. They live in financial data.

The Standard Categories in a Vendor Risk Questionnaire

A complete vendor risk questionnaire should cover five dimensions:

Financial health: Revenue trend, profitability, debt levels, banking relationships, insurance coverage, and concentration risk. Most questionnaires underweight this section. Credit Pulse's financial intelligence layer surfaces continuous signals here that no static form can capture.

Operational resilience: Business continuity plans, key person dependencies, disaster recovery testing, backup supplier relationships, and geographic concentration. A supplier headquartered in one city with one production facility is a different risk profile than one with distributed operations.

Cyber and data security: Incident history, penetration testing cadence, access controls, certifications (SOC 2, ISO 27001), and third-party security reviews. Tools like UpGuard, SecurityScorecard, and BitSight give you external cyber ratings that complement what the vendor self-reports here. Note: these platforms measure cyber risk only. They do not assess financial or operational risk.

Compliance and regulatory: Industry-specific requirements, sanctions screening, anti-bribery policies, and relevant certifications. This section is where SIG and CAIQ templates are most detailed.

Reputational and ESG: Litigation history, regulatory actions, beneficial ownership transparency, and environmental commitments. This is the section most likely to be perfunctory in smaller vendor programs.

12 Questions Every Vendor Risk Questionnaire Should Include

Most questionnaire templates ignore financial risk or bury it. These 12 questions add the financial signal layer that most programs skip:

1. Have you or any subsidiary filed for bankruptcy or insolvency protection in the past five years?
2. Are you currently in any debt restructuring, covenant violation, or default discussion with lenders?
3. What percentage of your revenue does our contract represent?
4. How many customers account for more than 20% of your total revenue?
5. Have you had any material changes to your banking relationships in the past 12 months?
6. Are there any pending legal actions or regulatory investigations that could materially affect operations?
7. Have you had any significant changes in senior financial leadership (CFO, controller) in the past 12 months?
8. Can you provide audited financial statements or the most recent management accounts?
9. Do you have adequate liquidity to fulfill your obligations to us for the next 12 months?
10. Have you had any significant changes to your primary supplier or partner relationships?
11. Are you subject to any liens, judgments, or encumbrances that could affect your ability to perform?
12. How has your headcount trended over the past 24 months?

SIG vs. CAIQ vs. Custom: Which Template to Use

The SIG Questionnaire is the most widely used template for enterprise vendor assessments. It runs to hundreds of questions across 19 risk domains. It's thorough on security and compliance. Its financial section is thin.

The CAIQ is cloud-specific, designed for SaaS and cloud vendors. It maps to the Cloud Security Alliance's control framework. Use it when assessing cloud service providers. Ignore it for physical suppliers.

Custom questionnaires are faster and more relevant but require maintenance. If you're building from scratch, start with the financial questions above and layer in security and compliance questions specific to your industry and the vendor's role in your operations.

Why Questionnaire Responses Are the Wrong Signal to Rely On

Questionnaires are self-reported and point-in-time. A supplier who passes your questionnaire today can file Chapter 11 in 90 days — and will have been showing financial distress signals for months before that filing. Those signals don't appear in a questionnaire. They appear in payment data, lien filings, and financial statement trends.

The Harvest Sherwood and Envelope 1 bankruptcies are instructive. Both companies had vendor relationships that looked operationally sound until they didn't. The financial deterioration was visible in the data long before the filing. A questionnaire-only program would have missed it entirely.

Venminder's model — analyst-driven questionnaire reviews — is expensive and still backward-looking. You're paying analysts to interpret responses that vendors had every incentive to present favorably. That's a lot of cost for a lagging indicator.

The Right Model: Questionnaires Plus Continuous Financial Monitoring

Use questionnaires for what they're good at: establishing a compliance and security baseline, documenting due diligence, and surfacing obvious red flags that a vendor might disclose.

Use continuous financial monitoring — specifically, the kind that tracks lien filings, bankruptcy signals, payment behavior trends, and liquidity indicators — for the signals that actually predict vendor failure. This is what Credit Pulse does for the financial layer of your vendor financial risk program.

A complete vendor due diligence program uses both. The questionnaire tells you what the vendor says about themselves. The financial data tells you what's actually happening.

See also: Continuous Vendor Monitoring: Why Annual Reviews Miss the Risks That Matter and our Vendor Financial Due Diligence Checklist.