Not logged in - Login
< back

Supplier Command Centre

Common actions

Sending a questionnaire to a supplier

Select ‘Supplier Workflow’. This is a key area within Abriska and most users will use this workflow to drive their supplier risk assessment activities from initiation through to completion of each assessment cycle.

Criticality assessment

Two options are available:

  • Assess Directly
  • Relate Information

Assess Directly requires the supplier risk profile to be determined individually whereas Relate Information implies that the risk profile is being inherited from another resource or supplier. Selecting ‘Relate Information’ will prompt completion of the dependency information.

Assess Directly prompts completion of the Confidentiality, Integrity and Availability (CIA) attributes of the commodity or service that the supplier provides. Under each of the Confidentiality, Integrity and Availability attributes, there is an impact statement ranging from Minor (1) to Major (3) along with a justification field (optional). Note that the range of impact levels can be extended to fit with the risk/impact matrices used within the client organisation. Contact URM Support for more information.

Once the attributes have been completed, select ‘submit’. The system returns to the Supplier Details tab. Re-select Supplier Workflow and it can be seen that Category Assignment has now been highlighted as the next stage.

Category assignment

Select Category Assignment. A list of Supplier Categories will be shown on the screen. The default list with Abriska contains 17 categories. Based on an understanding of the supplier, its product, service and delivery model relevant categories should be selected. The categories selected determine the questions to be asked. Complete this activity by selecting Submit.

Contact validation

From the Supplier Workflow tab, the next highlighted stage is ‘Contact Validation’, Enter the email address of the supplier contact. If the contact is not already registered, then they will receive an activation email informing that they have been set up on Abriska and need to validate their registration to respond to the survey. When setting up the supplier contact, there are three workflows to consider. These workflows are only made available when you set up the contact.

  • ‘Direct’ – in this case once the supplier contact has validated their registration, then they proceed directly to responding to the questionnaire. They cannot amend the categories and therefore the questions sent to them.
  • ‘Supplier Category Confirmation – Direct’ – in this option, the supplier contact has the opportunity to review the categories for relevance and confirm or reject the categories assigned through checking each category and providing justification where they believe a category does not apply to them. The user will be notified of this response and the questionnaire will need to be amended accordingly before being made available to the supplier again.
  • In the third option, ‘Confirmation, Customise, Questionnaire’ an additional opportunity is offered to the user to add or remove categories and edit questions before making the questionnaire available to the supplier following initial acceptance or rejection of categories.

At this stage, internal notification options can be set based on the information held within the supplier profile. When ready, select ‘Submit’. The questionnaire is sent to the supplier.

Seeing the status of questionnaires

From the Supplier Workflow tab, select ‘Questionnaire in Progress’ to view status of sent questionnaires. The history of questionnaires is also reviewable through this section.

Analysing the answers to the questionnaire

From the Supplier Workflow tab, select ‘Analyse Questionnaire Answers’ and select the required questionnaire.

Reviewing the questionnaire before it is sent to the supplier

Allocated categories and questions can be reviewed and edited prior to sending to the supplier. To have this option, it is necessary to select the third option ‘Confirmation, Customise, Questionnaire’ when setting up the contact.

Finding out whether a questionnaire has been completed

You can review progress of the questionnaire through the Dashboard.

Distributing the questionnaire within the supplier organisation

TBC

Suppliers can invite members of the same organisation to complete a questionnaire.

To add additional users to answer questions there are three steps: Once the supplier is logged into Abriska, they must open the questionnaire they would like to add an additional user to. > Select 'Manage People' on the left sidebar >’Add Contact’ > Enter the email address of the user who requires access and press the search icon. This must match the same domain as the primary contact for security reasons.

Once added, the user will receive an email with details to create their own account.

Reducing the number of questions received by a supplier

In the first instance, consider the categories that have been set up.

Scoring not matching internal view of risk presented

We would recommend checking a number of areas:
  • Criticality rating for the supplier – either direct or inherited; if no rating has been set then defaults may have been applied
  • Criticality thresholds set for control evaluation
  • Categories assigned to the supplier.

Deleting questionnaires

Questionnaires with answers cannot be deleted due to auditing requirements. Contact URM Support if there is a need to delete a completed questionnaire.

Question branching

When setting up a question, there is an option to introduce nested questions. Where the answer to the question is ‘yes’, then one or more additional questions can be set to request additional explanation or uploading of documentation.

Gaining clarification on the services provided by a supplier

In some cases, records may not provide adequate information on the nature of services or commodities supplied by the third party, so it may be unclear what information is being sharing with the supplier.

In such cases, it is recommended that a two-step communication is introduced with the supplier (cf section 4.2.3) The initial communication can seek for the supplier to confirm that they are in-scope for the questions you have assigned based on the categories selected.

Shortening the questionnaire

The questionnaire can be shortened through modifying categories or introducing new categories. For low risk suppliers, it may be acceptable to ask a much smaller set of questions under a specific category for such suppliers.

Assigning owners

It is worth considering which supplier relationship owners are the right ones for the purpose of the assessment activities and managing action plans. Operational/commercial governance structures can be reflected in Abriska, although only one owner can be allocated to each supplier.

What risk is being shown in the dashboard?

The dashboard risk rating reflects the responses to the latest questionnaire based on the risk appetite thresholds applied (cf. section 4.25). It is worth noting that a low risk supplier that does not meet the risk appetite thresholds assigned will show as ‘red’.

Issuing guidance for suppliers

We recommend informing suppliers in advance that Abriska is being used to assess the supplier as the questionnaires are sent as a default from the Abriska.com (note this can be customised through contacting URM Support). Suppliers need to be made aware that they need to complete the questionnaire in full and ‘submit’ their response before it is made available to the issuing organisation.

The templates for supplier communications can be found under SRM Set Up / Supplier Communications.

Available question formats

  • Multiple choice. These questions can be automatically scored based on user criteria
  • Yes/No, e.g. do you have a policy? automatic rating by the system
  • Yes/Not applicable; automatic rating by the system
  • Descriptive/freetext e.g. how do you enforce the policy? These questions require manual review and scoring.

Types of supplier data that can be stored

Additional fields can be created to hold information about each supplier. This may be information collected on supplier onboarding checklists such as financial reports, insurance information and governance information. Some customers add information regarding terms and conditions in place, e.g. standard terms and conditions, supplier terms, negotiated terms.

Data can be extracted through ‘Other data’ under the Divisional Resources Report.

Loading large number of suppliers

Contact URM Support who are able to bulk load suppliers into Abriska.

Revising scores

Scores can be revised. Commentary is added to support the score and change to any score. A full history of scores and core revisions is maintained.

There is also the option to ‘reopen questionnaire’ which allows the supplier to edit an answer and resubmit the question.

No RAG is showing on the dashboard

Check the questions – freeform questions are not automatically rated and require manual review. RAG is only applied when all questions have been graded.

Questionnaire refresh

There are the options to send a blank questionnaire or send the previous completed one. If the previous completed questionnaire is selected, then Abriska will compare the newly submitted questionnaire against the old one and highlight the changes.

Supplier risk appetite configuration

Where no specific thresholds exist, URM default values can be used to compare the question responses with the inherent risk presented by the supplier or related resource:

These can be fine-tuned based on the outputs. Options are to revisit the CIA rating, revisit the thresholds.

Supplier is unable to use Abriska

TROUBLE SHOOT

If for some reason a supplier is unable to use Abriska or procurement are using a tendering portal, then the supplier can still be set up on Abriska as normal and a questionnaire can be generated and exported as a spreadsheet. This facility can be found under ‘Reports / supplier questionnaire’.

The completed questionnaire can be imported via the URM support team.

If a non-Abriska questionnaire has been completed by the supplier, then contact URM Support. Importing non-Abriska questionnaires would not be included within a standard support agreement and additional charges may be incurred.

Viewing responses before completion of the questionnaire

Abriska is configured such that the question responses can only be viewed by the customer when the supplier has fully completed their response and submitted. Progress against the number of questions assigned can be viewed at any time.

Improving questionnaire completion rates

URM is happy to advise and support. In essence, completion rates are enhanced by ensuring that relevant questions are sent to the supplier only. This is where the application of ‘Categories’ can help refine the overall question set in line with the risk presented by the supplier in the context of the service or commodity supplied.

Reviewing, scoring and analysing a questionnaire response

Select ‘Analyse Questionnaire Answers’ on the Supplier Workflow tab. Then select the relevant questionnaire and select the ‘Review’ icon. The response against the question is visible. Select ‘score’ icon against the question. Select the answer score (1 to 10 scale) and provide a justification. These scores can be adjusted over time as actions raised are completed. The audit trail is retained within the questionnaire and the overall risk profile updated.

A control-based view of the assessment is obtainable by selecting ‘Controls Analysis’ on the menu sidebar. The initial display is at overall or parent Control Type level, e.g. ISO 27002:2013. Selection of the Control Type displayed will allow review at a per control level.

Methodology behind the risk score calculation

The table below sets up the methodology behind the calculation of the risk scores for control effectiveness. For each control, there is at least one question and weightings are set for each individual question on a recommended scale of 1-10. The Abriska Effectiveness rating is the product of the applicable weighting and the answer provided by the supplier. If a question is not relevant, then it is excluded from the calculation. There is the opportunity to manually override the score during review and provide a justification for this change.

Creating risk remediation actions within Abriska

Where a control assessment is inadequate, actions can be created for remediation activity. Actions can be created on internal staff or supplier contacts. Actions are raised and recorded against a questionnaire rather than a control area. From a review of the questionnaire responses select ‘Risk Treatment’ from the side menu. The options available in terms of Risk Strategy are ‘Accept’, ‘Reduce’, ‘Avoid’ or ‘Transfer’. Actions can then be assigned to action owners and copied to risk owners. The nature of the action could be to approve the risk strategy or to agree the mitigating actions where ‘reduce’ is selected.

Identifying and reporting on common control weaknesses

From the Supplier Dashboard. Select ‘Controls Effectiveness’ and then select the control of interest from the drop-down menu on the main page. The list of suppliers along with the control rating will appear on the screen.

Identifying and reporting on common supplier attributes

On the Supplier Dashboard, look to the fields on the right-hand side and scroll-down to Categories. In this section, select the relevant categories for analysis, e.g. A07: Cloud Service Provider and all suppliers allocated this category will appear on the screen.

Can a questionnaire be sent again to a supplier with the same results as before to be amended, rather than completing a whole questionnaire each time?

> Supplier risk management > Supplier Dashboard > select the questions button for the supplier you wish to send the questionnaire to > from here you can 'Create new Questionnaire' > under questionnaire type you can then select 'Copy answers from previous questionnaire'

Return to Supplier Risk Management