Supplier Command Centre
Common actions
Adding a supplier
New suppliers can be added via the Supplier Dashboard under Supplier Risk Management ‘Add New Supplier’ or through Organisation under- Under Create New
Resource,Asset/Resource, complete the required fields and ensure that ‘Supplier’ is selected under‘Resource‘Asset/Resource Type’ and then ‘submit’
- From the
ResourcesAsset/Resources page, the new supplier will appear on the main page. Select the supplier and a new page opens up to enable more information to be added
- Within the main page there are now three tabs visible. The first tab is ‘Supplier Details’, which is the data previously entered, the second is
‘Resource‘Asset/Resource Dependencies Chart’ and the third is‘Supplier‘Questionnaire Workflow’.
Select ‘Resource‘Asset/Resource Dependencies Chart’. This chart shows the relationships between the selected supplier and other suppliers or resources. The supplier may be dependent on another supplier with which the organisation holds a direct relationship, or it may support another supplier or resource. To develop the relationships, select the ‘Resource‘Asset/Resource Relationships’ menu option on the sidebar and then select the relevant dependent resources and ‘submit’. The chart will be updated with the new resourceasset/resource dependencies.
Sending a questionnaire to a supplier
Select ‘Supplier Workflow’. This is a key area within Abriska and most users will use this workflow to drive their supplier risk assessment activities from initiation through to completion of each assessment cycle.
Criticality assessment
Two options are available:
- Assess Directly
- Relate Information
Assess Directly requires the supplier risk profile to be determined individually whereas Relate Information implies that the risk profile is being inherited from another resource or supplier. Selecting ‘Relate Information’ will prompt completion of the dependency information.
Assess Directly prompts completion of the Confidentiality, Integrity and Availability (CIA) attributes of the commodity or service that the supplier provides. Under each of the Confidentiality, Integrity and Availability attributes, there is an impact statement ranging from Minor (1) to Major (3) along with a justification field (optional). Note that the range of impact levels can be extended to fit with the risk/impact matrices used within the client organisation. Contact URM Support for more information.
Once the attributes have been completed, select ‘submit’. The system returns to the Supplier Details tab. Re-select Supplier Workflow and it can be seen that Category Assignment has now been highlighted as the next stage.
Category assignment
Select Category Assignment. A list of Supplier Categories will be shown on the screen. The default list with Abriska contains 17 categories. Based on an understanding of the supplier, its product, service and delivery model relevant categories should be selected. The categories selected determine the questions to be asked. Complete this activity by selecting Submit.
Contact validation
From the Supplier Workflow tab, the next highlighted stage is ‘Contact Validation’, Enter the email address of the supplier contact. If the contact is not already registered, then they will receive an activation email informing that they have been set up on Abriska and need to validate their registration to respond to the survey. When setting up the supplier contact, there are three workflows to consider. These workflows are only made available when you set up the contact.- ‘Direct’ – in this case once the supplier contact has validated their registration, then they proceed directly to responding to the questionnaire. They cannot amend the categories and therefore the questions sent to them.
- ‘Supplier Category Confirmation – Direct’ – in this option, the supplier contact has the opportunity to review the categories for relevance and confirm or reject the categories assigned through checking each category and providing justification where they believe a category does not apply to them. The user will be notified of this response and the questionnaire will need to be amended accordingly before being made available to the supplier again.
- In the third option, ‘Confirmation, Customise, Questionnaire’ an additional opportunity is offered to the user to add or remove categories and edit questions before making the questionnaire available to the supplier following initial acceptance or rejection of categories.
At this stage, internal notification options can be set based on the information held within the supplier profile. When ready, select ‘Submit’. The questionnaire is sent to the supplier.
Locating the questions
Questions are related to controls. To view the questions, select SRM Setup, then select controls and then select the named control. On the sidebar menu, an option is made available to view the questions associated with the control.If you would like to view the full list of questions against controls, please contact URM Support.
Seeing the status of questionnaires
From the Supplier Workflow tab, select ‘Questionnaire in Progress’ to view status of sent questionnaires. The history of questionnaires is also reviewable through this section.
Analysing the answers to the questionnaire
From the Supplier Workflow tab, select ‘Analyse Questionnaire Answers’ and select the required questionnaire.
Reviewing the questionnaire before it is sent to the supplier
Allocated categories and questions can be reviewed and edited prior to sending to the supplier. To have this option, it is necessary to select the third option ‘Confirmation, Customise, Questionnaire’ when setting up the contact.
Finding out whether a questionnaire has been completed
You can review progress of the questionnaire through the Dashboard.
Distributing the questionnaire within the supplier organisation
TBC
Suppliers can invite members of the same organisation to complete a questionnaire.
To add additional users to answer questions there are three steps: Once the supplier is logged into Abriska, they must open the questionnaire they would like to add an additional user to. > Select 'Manage People' on the left sidebar >’Add Contact’ > Enter the email address of the user who requires access and press the search icon. This must match the same domain as the primary contact for security reasons.
Once added, the user will receive an email with details to create their own account.
Adding questions
Questions must be related to controls. A set of questions for each control are provided with Abriska. It is possible to edit or add additional questions in relation to a control.
Controls are mapped to categories, hence assigning category to a supplier ensures that the appropriate questions are asked. Where a control features in multiple categories, Abriska recognises this and ensures the question is only asked once.
Note that categories are not evaluated, controls are evaluated based on the response to the questions.
- Under SRM Setup, select Controls
If you want to add or amend questions to existing controls, select the control and then select ‘View Questions’. The existing questions will be displayed. Select the relevant question and make any amendments and then select ‘Submit’.
If a new control is required, then select new control and complete the fields and save by selecting Submit. Once the new control appears in the list on the main screen, select the control and then select ‘View Questions’
Remember that a control has to be assigned to a category in order for the questions to be assigned to a supplier.
One of the advantages of Abriska is that questions relate directly to controls, this allows a clear articulation of the risk presented and offers specific corrective actions based on international best practice. For this reason, questions need to be related to controls.
- Select ‘Create a New Question’ and complete the fields. Under ‘Question Type’ there are four option available: Yes or No, Yes or Not Applicable (N/A), Text Only, or Multiple Choice.
A weighting is required for the question and this should be in the range of 1-10. The weighting is used to calculate the level of risk based on the answer received from the supplier.
It is then necessary to decide whether a justification is required along with the answer (for Y/N, Y/NA, and multiple-choice questions) and again this can be set for where the supplier answers Yes or No.
Attribute level relates back to the CIA attribute levels set for the supplier. In this way, certain questions will only be presented to suppliers with certain (higher) risk attributes.
Selection of the box marked ‘Critical’ is intended to highlight questions which may have a compliance impact. Regardless of the overall risk score generated by the responses, where a supply fails on these questions, this will be shown on the overall management dashboard as well as against the questionnaire
Reducing the number of questions received by a supplier
In the first instance, consider the categories that have been set up.
Scoring not matching internal view of risk presented
We would recommend checking a number of areas:- Criticality rating for the supplier – either direct or inherited; if no rating has been set then defaults may have been applied
- Criticality thresholds set for control evaluation
- Categories assigned to the supplier.
Deleting questionnaires
Questionnaires with answers cannot be deleted due to auditing requirements. Contact URM Support if there is a need to delete a completed questionnaire.
Question branching
When setting up a question, there is an option to introduce nested questions. Where the answer to the question is ‘yes’, then one or more additional questions can be set to request additional explanation or uploading of documentation.
Gaining clarification on the services provided by a supplier
In some cases, records may not provide adequate information on the nature of services or commodities supplied by the third party, so it may be unclear what information is being sharing with the supplier.In such cases, it is recommended that a two-step communication is introduced with the supplier (cf section 4.2.3) The initial communication can seek for the supplier to confirm that they are in-scope for the questions you have assigned based on the categories selected.
Shortening the questionnaire
The questionnaire can be shortened through modifying categories or introducing new categories. For low risk suppliers, it may be acceptable to ask a much smaller set of questions under a specific category for such suppliers.
Assigning owners
It is worth considering which supplier relationship owners are the right ones for the purpose of the assessment activities and managing action plans. Operational/commercial governance structures can be reflected in Abriska, although only one owner can be allocated to each supplier.
What risk is being shown in the dashboard?
The dashboard risk rating reflects the responses to the latest questionnaire based on the risk appetite thresholds applied (cf. section 4.25). It is worth noting that a low risk supplier that does not meet the risk appetite thresholds assigned will show as ‘red’.
Issuing guidance for suppliers
We recommend informing suppliers in advance that Abriska is being used to assess the supplier as the questionnaires are sent as a default from the Abriska.com (note this can be customised through contacting URM Support). Suppliers need to be made aware that they need to complete the questionnaire in full and ‘submit’ their response before it is made available to the issuing organisation.
The templates for supplier communications can be found under SRM Set Up / Supplier Communications.
Available question formats
- Multiple choice. These questions can be automatically scored based on user criteria
- Yes/No, e.g. do you have a policy? automatic rating by the system
- Yes/Not applicable; automatic rating by the system
- Descriptive/freetext e.g. how do you enforce the policy? These questions require manual review and scoring.
Types of supplier data that can be stored
Additional fields can be created to hold information about each supplier. This may be information collected on supplier onboarding checklists such as financial reports, insurance information and governance information. Some customers add information regarding terms and conditions in place, e.g. standard terms and conditions, supplier terms, negotiated terms.
Data can be extracted through ‘Other data’ under the Divisional Resources Report.
Loading large number of suppliers
Contact URM Support who are able to bulk load suppliers into Abriska.
Revising scores
Scores can be revised. Commentary is added to support the score and change to any score. A full history of scores and core revisions is maintained.
There is also the option to ‘reopen questionnaire’ which allows the supplier to edit an answer and resubmit the question.
No RAG is showing on the dashboard
Check the questions – freeform questions are not automatically rated and require manual review. RAG is only applied when all questions have been graded.
Questionnaire refresh
There are the options to send a blank questionnaire or send the previous completed one. If the previous completed questionnaire is selected, then Abriska will compare the newly submitted questionnaire against the old one and highlight the changes.
Supplier risk appetite configuration
Where no specific thresholds exist, URM default values can be used to compare the question responses with the inherent risk presented by the supplier or related resource:
These can be fine-tuned based on the outputs. Options are to revisit the CIA rating, revisit the thresholds.
Supplier is unable to use Abriska
If for some reason a supplier is unable to use Abriska or procurement are using a tendering portal, then the supplier can still be set up on Abriska as normal and a questionnaire can be generated and exported as a spreadsheet. This facility can be found under ‘Reports / supplier questionnaire’.
The completed questionnaire can be imported via the URM support team.
If a non-Abriska questionnaire has been completed by the supplier, then contact URM Support. Importing non-Abriska questionnaires would not be included within a standard support agreement and additional charges may be incurred.
Viewing responses before completion of the questionnaire
Abriska is configured such that the question responses can only be viewed by the customer when the supplier has fully completed their response and submitted. Progress against the number of questions assigned can be viewed at any time.
Improving questionnaire completion rates
URM is happy to advise and support. In essence, completion rates are enhanced by ensuring that relevant questions are sent to the supplier only. This is where the application of ‘Categories’ can help refine the overall question set in line with the risk presented by the supplier in the context of the service or commodity supplied.
Reviewing, scoring and analysing a questionnaire response
Select ‘Analyse Questionnaire Answers’ on the Supplier Workflow tab. Then select the relevant questionnaire and select the ‘Review’ icon. The response against the question is visible. Select ‘score’ icon against the question. Select the answer score (1 to 10 scale) and provide a justification. These scores can be adjusted over time as actions raised are completed. The audit trail is retained within the questionnaire and the overall risk profile updated.
A control-based view of the assessment is obtainable by selecting ‘Controls Analysis’ on the menu sidebar. The initial display is at overall or parent Control Type level, e.g. ISO 27002:2013. Selection of the Control Type displayed will allow review at a per control level.
Methodology behind the risk score calculation
The table below sets up the methodology behind the calculation of the risk scores for control effectiveness. For each control, there is at least one question and weightings are set for each individual question on a recommended scale of 1-10. The Abriska Effectiveness rating is the product of the applicable weighting and the answer provided by the supplier. If a question is not relevant, then it is excluded from the calculation. There is the opportunity to manually override the score during review and provide a justification for this change.
Creating risk remediation actions within Abriska
Where a control assessment is inadequate, actions can be created for remediation activity. Actions can be created on internal staff or supplier contacts. Actions are raised and recorded against a questionnaire rather than a control area. From a review of the questionnaire responses select ‘Risk Treatment’ from the side menu. The options available in terms of Risk Strategy are ‘Accept’, ‘Reduce’, ‘Avoid’ or ‘Transfer’. Actions can then be assigned to action owners and copied to risk owners. The nature of the action could be to approve the risk strategy or to agree the mitigating actions where ‘reduce’ is selected.
Identifying and reporting on common control weaknesses
From the Supplier Dashboard. Select ‘Controls Effectiveness’ and then select the control of interest from the drop-down menu on the main page. The list of suppliers along with the control rating will appear on the screen.
Identifying and reporting on common supplier attributes
On the Supplier Dashboard, look to the fields on the right-hand side and scroll-down to Categories. In this section, select the relevant categories for analysis, e.g. A07: Cloud Service Provider and all suppliers allocated this category will appear on the screen.
Can a questionnaire be sent again to a supplier with the same results as before to be amended, rather than completing a whole questionnaire each time?
> Supplier risk management > Supplier Dashboard > select the questions button for the supplier you wish to send the questionnaire to > from here you can 'Create new Questionnaire' > under questionnaire type you can then select 'Copy answers from previous questionnaire'
Return to Supplier Risk Management