Supplier Commandl Centre

Here you can edit supplier details, relationship owners, modify attributes and create and review questionnaires.
You can get here from: A) Assets > Suppliers (asset type) > select supplier name, B) Supplier Dashboard > go to edit (pencil symbol over supplier name)

On the left hand options bar; 1. 'Questionnaire Options' - here you can select which categories your supplier relates to, nominate the primary contact and view which emails you have sent and view all questionnaires - completed and uncompleted.
2. 'Asset Relationships' - here you can select whether you supplier has access to any of your assets/resource. The supplier may be dependent on another supplier with which the organisation holds a direct relationship, or it may support another supplier or asset/resource.
3. 'Modify Asset Attributes' - identifying a score for the Confidentiality, Integrity and Availability - the impact this supplier can have on your organisation.

On the four tabs in the centre of the page; 1. 'Supplier Details' - basic asset/resource information where you can assign an owner, its location and their tier.
2. 'Asset Dependencies Chart' - chart view of the 'Asset Relationships.
3. 'Documents' - relevant documentation, polices are able to be uploaded.
4. 'Questionnaire Workflow' - here you can manage sending questionnaires to suppliers.

Questionnaire Workflow

To send a questionnaire to a supplier you need to go through the workflow process, flowing the steps outlined below. This is a key area within Abriska and most users will use this workflow to drive their supplier risk assessment activities from initiation through to completion of each assessment cycle.

Criticality Assessment

Two options are available:

• Assess Directly
• Relate Information

Assess Directly requires the supplier risk profile to be determined individually whereas Relate Information implies that the risk profile is being inherited from another resource or supplier.

Selecting ‘Relate Information’ will prompt completion of the dependency information. Assess Directly prompts completion of the Confidentiality, Integrity and Availability (CIA) attributes of the commodity or service that the supplier provides.

Under each of the Confidentiality, Integrity and Availability attributes, there is an impact statement ranging from Minor (1) to Major (3) along with a justification field (optional). Note that the range of impact levels can be extended to fit with the risk/impact matrices used within the client organisation. Contact URM Support for more information.

Once the attributes have been completed, select ‘Submit’. The system returns to the 'Supplier Details' tab. Re-select 'Questionnaire Workflow' and it can be seen that 'Category Assignment' has now been highlighted as the next stage.

Category Assignment

Select 'Category Assignment'. A list of Supplier Categories will be shown on the screen. The default list with Abriska contains 17 categories. Based on an understanding of the supplier, its product, service and delivery model relevant categories should be selected. The categories selected determine the questions to be asked. Complete this activity by selecting 'Submit'.

Contact Validation and Questionnaire

From the 'Questionnaire Workflow' tab, the next highlighted stage is ‘Contact Validation’, Enter the email address of the supplier contact. If the contact is not already registered, then they will receive an activation email informing that they have been set up on Abriska and need to validate their registration to respond to the survey. When setting up the supplier contact, there are three workflows to consider. These workflows are only made available when you set up the contact.

• ‘Direct’ – in this case once the supplier contact has validated their registration, then they proceed directly to responding to the questionnaire. They cannot amend the categories and therefore the questions sent to them.
• ‘Supplier Category Confirmation – Direct’ – in this option, the supplier contact has the opportunity to review the categories for relevance and confirm or reject the categories assigned through checking each category and providing justification where they believe a category does not apply to them. The user will be notified of this response and the questionnaire will need to be amended accordingly before being made available to the supplier again.
• In the third option, ‘Confirmation, Customise, Questionnaire’ an additional opportunity is offered to the user to add or remove categories and edit questions before making the questionnaire available to the supplier following initial acceptance or rejection of categories.

At this stage, internal notification options can be set based on the information held within the supplier profile. When ready, select ‘Submit’. The questionnaire is sent to the supplier.

Seeing the status of questionnaires

You can review progress of the questionnaire through the Dashboard > select the second to last option (mini list icon next to 'Risk') 'questionnaires' > this will take you directly to see a list of the questionnaires sent, in progress and completed. The history of questionnaires is also reviewable through this section.

Risk Analysis

Analysing the answers to the most recent questionnaire; from the 'Questionnaire Workflow' tab, select ‘Risk Analysis’ and list of questions will appear from the most recent questionnaire.
To view questions from previous or other questionnaires go to > 'Questionnaire Options' > 'Questionnaires' > select the questionnaire you wish to view.

Risk Treatment

This is the supplier risk treatment strategy page. It will highlight to the user at what risk level the questionnaire classifies the supplier at. The user has the option the select a 'Risk Strategy' from a dropdown box to 'Accept', 'Reduce', 'Avoid' or 'Transfer'.
You must select and 'Submit' a review date before submitting a 'Risk Action'. Where a control assessment is inadequate, 'Risk Actions' can be created for remediation activity. Actions can be created on internal staff or supplier contacts. Actions are raised and recorded against a questionnaire rather than a control area.

Risk Report

TBC

Distributing the questionnaire within the supplier organisation

TBC

Suppliers can invite members of the same organisation to complete a questionnaire.

To add additional users to answer questions there are three steps: Once the supplier is logged into Abriska, they must open the questionnaire they would like to add an additional user to. > Select 'Manage People' on the left sidebar >’Add Contact’ > Enter the email address of the user who requires access and press the search icon. This must match the same domain as the primary contact for security reasons.

Once added, the user will receive an email with details to create their own account.

Reducing the number of questions received by a supplier

In the first instance, consider the categories that have been set up.

Scoring not matching internal view of risk presented

We would recommend checking a number of areas:

• Criticality rating for the supplier – either direct or inherited; if no rating has been set then defaults may have been applied
• Criticality thresholds set for control evaluation
• Categories assigned to the supplier.

Deleting questionnaires

Questionnaires with answers cannot be deleted due to auditing requirements. Contact URM Support if there is a need to delete a completed questionnaire.

Issuing guidance for suppliers

We recommend informing suppliers in advance that Abriska is being used to assess the supplier as the questionnaires are sent as a default from the Abriska.com (note this can be customised through contacting URM Support). Suppliers need to be made aware that they need to complete the questionnaire in full and ‘submit’ their response before it is made available to the issuing organisation.

The templates for supplier communications can be found under SRM Set Up / Supplier Communications.

Types of supplier data that can be stored

Additional fields can be created to hold information about each supplier. This may be information collected on supplier onboarding checklists such as financial reports, insurance information and governance information. Some customers add information regarding terms and conditions in place, e.g. standard terms and conditions, supplier terms, negotiated terms.

Data can be extracted through ‘Other data’ under the Divisional Resources Report.

Loading large number of suppliers

Contact URM Support who are able to bulk load suppliers into Abriska.

Revising scores

Scores can be revised. Commentary is added to support the score and change to any score. A full history of scores and core revisions is maintained.

There is also the option to ‘reopen questionnaire’ which allows the supplier to edit an answer and resubmit the question.

Questionnaire refresh

There are the options to send a blank questionnaire or send the previous completed one. If the previous completed questionnaire is selected, then Abriska will compare the newly submitted questionnaire against the old one and highlight the changes.

Supplier risk appetite configuration

Where no specific thresholds exist, URM default values can be used to compare the question responses with the inherent risk presented by the supplier or related resource:

These can be fine-tuned based on the outputs. Options are to revisit the CIA rating, revisit the thresholds.

Supplier is unable to use Abriska

TROUBLE SHOOT

If for some reason a supplier is unable to use Abriska or procurement are using a tendering portal, then the supplier can still be set up on Abriska as normal and a questionnaire can be generated and exported as a spreadsheet. This facility can be found under ‘Reports / supplier questionnaire’.

The completed questionnaire can be imported via the URM support team.

If a non-Abriska questionnaire has been completed by the supplier, then contact URM Support. Importing non-Abriska questionnaires would not be included within a standard support agreement and additional charges may be incurred.

Viewing responses before completion of the questionnaire

Abriska is configured such that the question responses can only be viewed by the customer when the supplier has fully completed their response and submitted. Progress against the number of questions assigned can be viewed at any time.

Improving questionnaire completion rates

URM is happy to advise and support. In essence, completion rates are enhanced by ensuring that relevant questions are sent to the supplier only. This is where the application of ‘Categories’ can help refine the overall question set in line with the risk presented by the supplier in the context of the service or commodity supplied.

Reviewing, scoring and analysing a questionnaire response

Select ‘Analyse Questionnaire Answers’ on the Supplier Workflow tab. Then select the relevant questionnaire and select the ‘Review’ icon. The response against the question is visible. Select ‘score’ icon against the question. Select the answer score (1 to 10 scale) and provide a justification. These scores can be adjusted over time as actions raised are completed. The audit trail is retained within the questionnaire and the overall risk profile updated.

A control-based view of the assessment is obtainable by selecting ‘Controls Analysis’ on the menu sidebar. The initial display is at overall or parent Control Type level, e.g. ISO 27002:2013. Selection of the Control Type displayed will allow review at a per control level.

Methodology behind the risk score calculation

The table below sets up the methodology behind the calculation of the risk scores for control effectiveness. For each control, there is at least one question and weightings are set for each individual question on a recommended scale of 1-10. The Abriska Effectiveness rating is the product of the applicable weighting and the answer provided by the supplier. If a question is not relevant, then it is excluded from the calculation. There is the opportunity to manually override the score during review and provide a justification for this change.

Return to Supplier Risk Management