One often overlooked area that every DLT based startup will have to overcome, if it wants to be seriously successful, is managing the endless questionnaires that get sent its way. These can be frankly tedious, lengthy and a potential source of risk if the answers are not quite correct.
This post covers how many and where they are likely to come from, the subsequent problems, and how RegDefy, managing the Ecosystem’s Digital Twin, streamlines this process.
What are these questionnaires and where do they come from?
The questionnaires are, usually, long lists of questions about your operation on any topic from security to your wind down plan. Once completed these can form the start of a conversation as follow ups are requested until the sender is satisfied.
In terms of their validity they can either be the responder’s point in time assessment like an self-attestation. Alternatively the responder can be held to the response on an ongoing basis and so part of the compliance function of the organisation.
As the Operator of the platform, there are at least four types of questionnaires that will be sent your way. If the ecosystem is fully decentralised then they would be completed on the platform’s behalf often by each Participant.
- Digital Securities Sandbox (DSS) Gates
- Standards
- Other Regulations and Contracts
- Participant Onboarding and Subsequent Audit
In compliance with DORA and the 3rd party risk management regulations from the Bank of England there is also a fifth:
- Vendor Risk Assessments
Let’s look at each one.
- Digital Securities Sandbox Gates. In DSS Gate 2 there are two questionnaires one being the CQUEST security assessment and the other being the Gate 2 self-attestation. The former is a point in time questionnaire asking the operator to rate themselves on a maturity model. The latter is more of a commitment to comply with the Go Live rules.
- Standards. Part of the certification process for a particular standard (e.g. ISO27001) involves answering a set of questions and providing evidence for your answers (e.g. company policies). It is a point in time assessment that gets repeated on a regular basis.
- Other Regulations and Contracts. Each of these sets out a set of obligations that must be followed. It could be around how incidents are managed or how a Participant is able to withdraw their assets. These obligations can be thought of as questions about the operation but, unlike a self-attestation for say a standard with a commitment that the answer will remain valid for a period of time.
- Participant Onboarding and Subsequent Audit. For an institutional Participant to use the platform usually it will need to be onboarded as a Service provider and a Technology provider. This usually results in at least two questionnaires from each Participant. Unfortunately they can come from different parts of the institution covering the same topics in different ways. The FSQS standard goes someway to address this but does not have the industry acceptance yet.
- Vendor Risk Assessments. Best practice is to require all of the operation’s suppliers to complete a questionnaire so that the organisation can assess its 3rd party risk. The capability required here is different as it is more setting the questions and evaluating responses than responding to actual questions.
The problems with questionnaires.
There are three challenges with responding to questions and evaluating responses. The main challenge is getting up to date and consistent answers. For the operation of an early stage ecosystem, the answers can change from week to week. Different team members have different amounts of knowledge and no one person will know it all. These two combined means getting a consistent set of responses can be very difficult.
Another challenge is that responding to these questionnaires can take considerably longer than anticipated. Changing information from all over the ecosystem has to be collated and used to answer the specific questions.
The last challenge is delicate but important to address: Those people involved in early stage businesses tend to dislike the activity of answering these questionnaires! Sometimes it can be hard to find people who want to do it. A corollary to this is that the team that completed the last one is unlikely to want to do the next which is a shame as they are the most qualified!
For the Vendor Risk Assessments, keeping on top of potentially two different questionnaires (covering critical and non-critical suppliers) for up to 20+ suppliers
Questionnaire Management with RegDefy
Along with managing the 11 dimensions that make up the Ecosystem Digital Twin, RegDefy can manage the questionnaires and their responses for each organisation.
Questionnaires can be modelled in one of two ways in RegDefy:
- Point in time attestations are modelled as Questionnaires where each question can be responded to with evidence and mapped to arbitrary parts of the Ecosystem Digital Twin. Target milestones for review, approval and submission can be set allowing you to see which ones need to be worked on. Questions and responses can be exported to Excel as the often-preferred response format. Once approved and submitted, the questioner can ask follow-up questions that can be captured providing a conversation chain about the original question. A use case for this would be the DSS CQUEST questionnaire; Participant onboarding and Audit; and Vendor Risk Assessments
- Alternatively, the questions can be modelled as a Commitment, one of the 11 dimensions. The organisation can choose which of the obligations apply, map them to parts of the Ecosystem Digital Twin; provide evidence and plans for compliance, and export them to Excel.
However, before we see how RegDefy speeds up the process, we need to introduce Content Tags.
RegDefy also maintains the Ecosystem Content Tag library. This tree structure allows you to model the semantics of the ecosystem. For example, there could be a tag for “Incident Management”, “Firewall”, or “Bitcoin”. These tags can be applied to many of the RegDefy entities. Extending the example, the “Incident Management Post Incident Review” Process could be tagged with “Incident Management”.
When Questions arrive they can be tagged (either automatically using Artificial Intelligence or manually) with their meaning. That way RegDefy can suggest parts of the Digital Twin that are relevant to your response. And because previous approved questions have been tagged in the same way, previous answers to similar questions can be suggested as well. These suggested answers significantly speed up responses and improve consistency.
Other entities in the Digital Twin can also be tagged (e.g. Risks, Processes, Policies, Metrics or Controls etc). These will get suggested at the same time.
Having reviewed the suggestions the responder is able to map the question or obligation to parts of the Digital Twin. This makes the answer to the question tied into the operation of the ecosystem ensuring consistency. This has the beneficial side effect that in the event of an incident, this mapping information can be used to perform instant impact analysis – e.g. in the event of a data breach you can determine which clauses of which regulations / questions in an attestation are affected.
Conclusion
Questionnaires, wherever they come from, can be a drain on a startup’s precious resources. However, they are a critical component in getting a regulated DLT project to viability.
RegDefy streamlines their management and improves the speed and quality of the responses.
