Not logged in - Login
< back

Common Tasks - Questionnaires and Distribution

Questionnaires

Adding questions

Questions must be related to controls. A set of questions for each control are provided with Abriska. It is possible to edit or add additional questions in relation to a control.

Controls are mapped to categories, hence assigning category to a supplier ensures that the appropriate questions are asked. Where a control features in multiple categories, Abriska recognises this and ensures the question is only asked once.

Note that categories are not evaluated, controls are evaluated based on the response to the questions. *Under SRM Setup, select Controls - move into control assessment questions

Available question formats

  • Multiple choice. These questions can be automatically scored based on user criteria
  • Yes/No, e.g. do you have a policy? automatic rating by the system
  • Yes/Not applicable; automatic rating by the system
  • Descriptive/freetext e.g. how do you enforce the policy? These questions require manual review and scoring.

Question branching

When setting up a question, there is an option to introduce nested questions. Where the answer to the question is ‘yes’, then one or more additional questions can be set to request additional explanation or uploading of documentation.

Distributing the questionnaire within the supplier organisation

TBC

Suppliers can invite members of the same organisation to complete a questionnaire.

To add additional users to answer questions there are three steps: Once the supplier is logged into Abriska, they must open the questionnaire they would like to add an additional user to. > Select 'Manage People' on the left sidebar >’Add Contact’ > Enter the email address of the user who requires access and press the search icon. This must match the same domain as the primary contact for security reasons.

Once added, the user will receive an email with details to create their own account.

Reducing the number of questions received by a supplier

In the first instance, consider the categories that have been set up.

Scoring not matching internal view of risk presented

We would recommend checking a number of areas:
  • Criticality rating for the supplier – either direct or inherited; if no rating has been set then defaults may have been applied
  • Criticality thresholds set for control evaluation
  • Categories assigned to the supplier.

Deleting questionnaires

Questionnaires with answers cannot be deleted due to auditing requirements. Contact URM Support if there is a need to delete a completed questionnaire.

Issuing guidance for suppliers

We recommend informing suppliers in advance that Abriska is being used to assess the supplier as the questionnaires are sent as a default from the Abriska.com (note this can be customised through contacting URM Support). Suppliers need to be made aware that they need to complete the questionnaire in full and ‘submit’ their response before it is made available to the issuing organisation.

The templates for supplier communications can be found under SRM Set Up / Supplier Communications.

Types of supplier data that can be stored

Additional fields can be created to hold information about each supplier. This may be information collected on supplier onboarding checklists such as financial reports, insurance information and governance information. Some customers add information regarding terms and conditions in place, e.g. standard terms and conditions, supplier terms, negotiated terms.

Data can be extracted through ‘Other data’ under the Divisional Resources Report.

Loading large number of suppliers

Contact URM Support who are able to bulk load suppliers into Abriska.

Revising scores

Scores can be revised. Commentary is added to support the score and change to any score. A full history of scores and core revisions is maintained.

There is also the option to ‘reopen questionnaire’ which allows the supplier to edit an answer and resubmit the question.

Questionnaire refresh

There are the options to send a blank questionnaire or send the previous completed one. If the previous completed questionnaire is selected, then Abriska will compare the newly submitted questionnaire against the old one and highlight the changes.

Supplier risk appetite configuration

Where no specific thresholds exist, URM default values can be used to compare the question responses with the inherent risk presented by the supplier or related resource:

These can be fine-tuned based on the outputs. Options are to revisit the CIA rating, revisit the thresholds.

Supplier is unable to use Abriska

TROUBLE SHOOT

If for some reason a supplier is unable to use Abriska or procurement are using a tendering portal, then the supplier can still be set up on Abriska as normal and a questionnaire can be generated and exported as a spreadsheet. This facility can be found under ‘Reports / supplier questionnaire’.

The completed questionnaire can be imported via the URM support team.

If a non-Abriska questionnaire has been completed by the supplier, then contact URM Support. Importing non-Abriska questionnaires would not be included within a standard support agreement and additional charges may be incurred.

Viewing responses before completion of the questionnaire

Abriska is configured such that the question responses can only be viewed by the customer when the supplier has fully completed their response and submitted. Progress against the number of questions assigned can be viewed at any time.

Improving questionnaire completion rates

URM is happy to advise and support. In essence, completion rates are enhanced by ensuring that relevant questions are sent to the supplier only. This is where the application of ‘Categories’ can help refine the overall question set in line with the risk presented by the supplier in the context of the service or commodity supplied.

Reviewing, scoring and analysing a questionnaire response

Select ‘Analyse Questionnaire Answers’ on the Supplier Workflow tab. Then select the relevant questionnaire and select the ‘Review’ icon. The response against the question is visible. Select ‘score’ icon against the question. Select the answer score (1 to 10 scale) and provide a justification. These scores can be adjusted over time as actions raised are completed. The audit trail is retained within the questionnaire and the overall risk profile updated.

A control-based view of the assessment is obtainable by selecting ‘Controls Analysis’ on the menu sidebar. The initial display is at overall or parent Control Type level, e.g. ISO 27002:2013. Selection of the Control Type displayed will allow review at a per control level.

Methodology behind the risk score calculation

The table below sets up the methodology behind the calculation of the risk scores for control effectiveness. For each control, there is at least one question and weightings are set for each individual question on a recommended scale of 1-10. The Abriska Effectiveness rating is the product of the applicable weighting and the answer provided by the supplier. If a question is not relevant, then it is excluded from the calculation. There is the opportunity to manually override the score during review and provide a justification for this change.



Return to Supplier Risk Management