Due Diligence Questionnaires and Risk Scoring




This document contains a description of the Questionnaire Editor available for tenants (clients) of the Due Diligence module in GAN Integrated Compliance Management (GAN ICM). The Questionnaire Editor contains different types of questions that can be configured on the basis of the type of responses needed. Questionnaires are a step component of the workflow builder (category to group third parties) that is configured by a GAN Solution Delivery Manager.


Questionnaires are used to collect information to help everyone in your organization to make the right decision on a third party company and/or person. On an overarching level, your organization should be asking questions in the questionnaires that can help decide and support:

  • Am I allowed to do business with this third party?

  • If yes, am I confident that this third party will not expose me?

  • If something happens, do I have the documentation to support my decision?

The given answers to questions asked in a questionnaire is one of the defining factors of assigning a risk level at the final approval step. This in combination with screening results allows approvers to build a picture of the third party and ensure that a common process (workflow) was followed across all their third parties in making the right decision. When building a questionnaire, changes can be saved as needed in the edit mode.  Once a Questionnaire is ready to be used, the Questionnaire must be published, which is an action that is irreversible. 

Client Action Points 

  • Decide on the most efficient and effective number of questionnaires to present to your internal stakeholders and external third parties.

    • What is the goal of each of these questionnaires?

  • For each questionnaire, how can the different question types and features in GAN ICM aid in your collection of information? Specifically:

    • Who will be providing the answers to this questionnaire?

    • What format is best suited for the collection of the data you need?

    • Should certain answers trigger red flags?

    • Should the answers to certain questions determine how your process will branch out?

    • Do you want to calculate the residual risk?

  • If you have pre-existing questionnaires, review them in the context of the GAN question types and indicate how your existing questionnaire should be converted using one of our question types. 

    • Share the questionnaires with your Implementation Manager to be ingested into GAN ICM.

  • Identify which questions and answers define the risk for you and what is the expected outcome.


Questionnaire Types

Depending on the question module you have selected, there may be toggles at the bottom for:

  • Required question (the answer is mandatory) 

  • Conditional question (only one conditional question per answer option)

  • Addition of flags (visual aid to identify higher risk answers) 

Question Type





Scoring for Conditional Questions 

Short Answer

Use this to generate a free text field anticipating short answers





Long Answer

Use this to generate a free text field anticipating longer answers






Use this to create a dropdown list where users can only select one (1) answer.



Multi Select

Use this to create a dropdown list where users can select one or more / all possible answers from the full list.




Use this to create on-screen checkbox options under the main question where users can select one or more / all possible answers.

Multiple Choice

Use this to create on-screen radio button options under the main question where users can select just one (1) answer.


This allows the user to upload a file (or multiple files). The Maximum file size is 20Megabytes (Mb), where allowed file types are as follows:  'pdf', 'docx', 'doc', 'png', 'jpg', 'jpeg', 'gif', 'mp4', 'mpg', 'mp3', 'zip', 'rar', 'key', 'pps', 'ost', 'pst', 'xls', 'xlr', 'xlsx', 'ppt', 'pptx', 'm4v', 'mov', 'csv', 'db', 'xml', 'msg'





Person of Interest

This allows the user to enter in full names, position and country (location) of people as requested in the question, where it also allows for screening.






This allows the questionnaire creator / editor to add section headers in between questions.





CPI Scoring

This allows the user to select a country (or multiple if configured) and can only be used ONCE per questionnaire.






This question type can be enabled upon request by your Implementation Manager at GAN. This allows the user to provide multiple answers to a set of questions. 






When it comes to identifying risks, there are three approaches that can be taken by a tenant: 

Flags - the visual approach 

Flags (red/green/yellow) applied to questionnaire answers serve as visual cues to assist the approver to define the risk level of a given questionnaire.  optionally this can also be hidden.

The allocation of a flag does not impact risk scoring that is calculated by the system; it is a visual cue that can be filtered when reviewing answers. 

Questionnaire Answer Conditions - Workflow Branching

Answers to certain key questions can be used to divert the route of a workflow by triggering a step based on a given answer. 

e.g. Do you have ties to an official of any government/government agency?
Yes / No. If the question was answered 'Yes' then the workflow could branch to an additional questionnaire. 

The number of key questions should be kept to a minimum. Complex branching can potentially have significant implications such as but not limited to consistency and/or future adjustments.

Note that Questionnaire Answer Conditions can be used in combination with the flags to provide a more comprehensive end result.

Calculated Risk Score 

GAN ICM measures the residual risk, where a third party by definition starts with 100% total risk

Integrity Points

A questionnaire has a total number of available integrity points that can be achieved. By cumulating integrity points (achieved points) on answers, the total risk is reduced on that questionnaire. 

To exemplify, positive answers decrease risk: 

Total score of 0 = very high risk
Total score of 100 = very low risk

Note that here it is assumed that the total amount of achievable points available is 100.

Achieved Points are the summation of the individual point values, which also applies to negative points.  

A questionnaire can be scored using multiple choice and checkboxes question types. 

For multiple choice type questions, the selection of one answer option has a point value assigned for each potential answer. The answer with the highest point value assigned is counted towards the total amount of achievable points. 

For checkboxes, multiple checkboxes can be selected as answers, where each potential answer has a point value assigned. The summation of all point values count towards the total amount of achievable points. 

Important to note is that negative points are counted as 0 in relation to the total achievable amount of points. 

Questionnaires that utilize Conditional Questions can also have point values assigned, which are added to the cumulation of points and thus included in the total amount of achievable points regardless of whether the condition is met. 

The higher the cumulative points score i.e. achieved points, the higher the Success Rate, which in turn means lower risk.  

Success Rate 

The success rate is a percentage based calculation on how many points were collected in relation to the maximum available points that is achievable points.




GAN ICM uses the latest Corruption Perception Index (CPI) score for country risk as published by Transparency International. Upon configuration, the CPI Score (Country Integrity) forms an integral role in the calculated risk rate. 

Of the 250 locations that are presented to users (and that can be used when answering questionnaires), 70 are not included in Transparency International’s CPI and therefore have no score; a few examples include Greenland, Belize, Antarctica, etc., where GAN assigns these locations an ‘n/a’ and does not include them when calculating the Risk Rate.


When using the CPI Scoring element in a questionnaire and by enabling the input of several countries, GAN ICM can either: 

  • Company Country: ignore all locations in questionnaires that defaults to the location in the creation form

  • Minimum CPI: use the lowest CPI score (highest risk country) score

  • Averaged CPI: calculates an average of all country indices (note: excludes the country in the creation form)

This setting is made under the Third Party Category sub-menu of Due Diligence, where it is available to Compliance Managers as well as Due Diligence Compliance Managers.  



Country (CPI) vs Questionnaire Weight

Under the Third Party Category menu, a slider can be also adjusted to weigh the impact of CPI in relation to achieved points from the questionnaire. 

e.g. 50% of the CPI Score with 50% questionnaire results

e.g. 0% of the CPI Score with 100% questionnaire results


The weight of either the CPI or the Questionnaire Success Rate can be completely negated by moving the slider either to the far left or right.

Calculated Risk Rate 

The calculated risk rate is a percentage that takes the CPI score as well as the Success Rate into account. A weight is applied depending on the Country vs Questionnaire slider configuration i.e. the degree of impact of the CPI compared to how risky the answers were given in a questionnaire.  


The Calculated Risk Rate can then be displayed with a color that depends on where the score lies on the Risk Score Interval found under the Third Party Category menu.

As noted earlier, some countries do not have a CPI score, where an ‘N/A’ location is used. Here we have 4 scenarios the describes the impact on the Risk Rate calculation:

  1. [CPI setting = TP location, weighting = 50/50, location used is N/A], Risk Rate will be based only on the questionnaire scoring.

  2. [CPI setting = Highest risk, weighting = 50/50, all locations used are N/A] Risk Rate = Risk Rate will be based only on the questionnaire scoring.

  3. [CPI setting = average risk, weighting = 50/50, all locations used are N/A] Risk Rate = Risk Rate will be based only on the questionnaire scoring.

  4. [CPI setting = average risk, weighting = 50/50, 1 of the locations used is N/A] Risk Rate = will be based on the score of that 1 location and the questionnaire scoring.

Risk Intervals

For each category (workflow), the displayed risk rating for a calculated risk range can be customized by moving the sliders 


Using the default ranges: 

Very Low = Green is shown for a Risk Score from 1 to 19.999

Low = Light Green is shown for a Risk Score from 20 to 39.999 

Medium = Orange is shown for a Risk Score from 40 to 59.999 

High = Red is shown for a Risk Score from 60 to 79.999 

Very High = Dark Red is shown for a Risk Score above 80 

It is also possible to exclude very low and very high ranges by simply moving the initial and ultimate sliders to the far left or right. 

Questionnaire Scoring - an Example  

A questionnaire with three questions including a multiple choice, a checkbox, and a CPI question. 

The multiple choice question has 5 options with the lowest point value answer being 10 and the highest at 50. Since only one option can be selected in a multiple choice question, the largest point value achievable for this question is 50 points. 

The checkbox question also has 5 options with the lowest point value being 10 and incrementally increasing by 10 to the highest at 50 points. The cumulation of all answers (10+20+30+40+50) is 150 points. Since all options can be selected in a checkbox question, the largest point value achievable for this question is 150 points. 

The CPI Scoring question allows for multiple entries of countries. For this example, the Advanced CPI Scoring is Minimum CPI i.e. the country with the lowest CPI (highest risk) will prevail.

Since the CPI forms a separate part of the Calculated Risk Rate calculation, the total amount of achievable points is 200 points for the Questionnaire, which is the highest achievable points from the multiple choice (50) added to the highest achievable points from the checkboxes (150). 

Using a total amount of achievable points at 200 points and a Country to Questionnaire weighting set to 50:50, a questionnaire with three questions: 

  1. Multiple Choice Question 


Since the highest points are counted, this question would score 50 points. 

2. Checkboxes Question 


Since all points are counted, this question would score 50 (40+10) points. 

3. CPI Scoring Question 


Since the minimum CPI Score is utilized in the calculation, Somalia with CPI at 9 prevails. 

Once the Questionnaire is submitted, the calculation displays a Risk Rating of High



When reviewing the Questionnaire, the details of the calculation are summarized: 


The Success Rate is 50% because Q1 achieved 50 points and Q2 also achieved 50 points from a total of 200 achievable points. 


The Calculated Risk Rate is 71% because it takes the 50:50 weighting into account between the points achieved in the questionnaire and the minimum CPI score, which was Somalia at 9. 


Since the calculated risk rating of 71% lies in the Risk Interval between the range of 60 and 79, the Risk Rating is displayed as High Risk for the Questionnaire. 

Language Copies of Questionnaires 

GAN ICM does support multiple languages. Questionnaires are not automatically translated and will need to be created as a language copy of the default language (usually English). The user answering the questionnaire will be able to toggle between the available languages. 


Compare Questionnaires

After revetting a third party, multiple versions of answers to questionnaires might appear. The Compare Questionnaires feature allows you to easily verify if answers to the same questions have evolved over time. 


Email Templates for Questionnaires 

Questionnaires are sent via email to the specified recipient, which is also tracked in the activity log. The template for the instance can be provided to the GAN Solution Delivery Manager to setup on behalf of the tenant. The Questionnaire links within emails should be completed within 90 days of receipt. In addition, the instance can be configured with an automated reminder email template (including a standardized frequency of the emails being sent) to encourage a recipient to submit a questionnaire in the allocated time. When sending out the questionnaire, a client is welcome to customize templates as well as reminder frequencies for each recipient.

Want to know more? 

Suggested next read: What is a Third Party Category?


Questions are welcome

Contact us through your GAN Solution Delivery Manager, GAN Account Manager or GAN Support


© 2020 GAN INTEGRITY INC. ALL RIGHTS RESERVED | The information contained in this document is solely for the intended recipient and may not be used, published or redistributed without the prior written consent of GAN INTEGRITY INC. While every care has been taken in preparing this document, GAN INTEGRITY INC. reserves the right to revise its contents without prior notice.

Was this article helpful?
0 out of 0 found this helpful