Not logged in - Login
< back

Supplier Risk Management - Video Guides

Supplier Risk Management Setup

Controls

Default set of controls are visible. These controls are taken from ISO 27001:2013.

New Control

To add a new control, complete the fields in the form provided. All fields must be completed. Remember to click submit on completion. Controls may be added from other standards such as NIST and PCI DSS. Note that NIST Cyber Security Framework v1.1 and 27001 cover the same control areas, however, one standard may offer more controls in each of these areas than the other. Other control groups may be ISO 27032 (cyber), 27018 (PII in the cloud), and 27017 (cloud security)

View Control Groups

List of available control groups is provided. Selection of the control group will show the control group name and the underpinning maturity model

New Control Group

Create a new control group and assign relevant maturity model. ISO 27001 is the default maturity model aligned with COBIT maturity model.

View Control Types

Provides a list of the ISO 27002:2013 control types. By clicking on the individual control type additional information is provided on the linked controls.

Categories

Probably one of the most important components of Abriska. Categories provide the opportunity to tailor the questionnaire based on the nature of the commodity or service provided by the supplier. If there were only one category then all suppliers would receive all questions regardless of the commodity or service being provided. There is a default set of 17 categories. All of these categories can be edited. New categories can be added at any time. Only relevant categories are assigned to suppliers. On the default list, you will see the category name, description and whether controls have been allocated (you can click to view and amend the assigned controls) and the corresponding number of questions assigned.

Add New Category

Complete the form to create a new category. Remember to click submit to save.

Risk Rating

To understand whether the responses to the questionnaire are leading to an acceptable or unacceptable level of risk, you can assign a risk rating through the setting of risk appetite thresholds. A high-risk commodity or service being provided by the supplier could have a different set of tolerance levels than a low risk supplier. For a high-risk supplier, you may require a score of 100% on the allocated questions, whereas for a low risk supplier you may tolerate a much lower level of compliance. The table expresses residual risk based on the responses to the questionnaire and subsequent evaluation by subject matter experts. It is completely configurable. Example: For a high-risk supplier with an attribute score of ‘3’, only a questionnaire score of 90% or more would be negligible residual risk, whereas a score of 0% would be high risk.

Supplier Communications

There are three default emails configured with Abriska. The first is to be sent to the supplier to enable them to register on the system. The second provides the introduction to the questionnaire and the third is a reminder email to the assigned contact at the supplier.

Supplier Dashboard

Once set up, this is the best starting point for future activity, The dashboard lists all suppliers in Abriska and can be filtered by division or contact. The information provided is as follows (from left to right):

  • If completion of the questionnaire is overdue, then a red flag will appear against the supplier
  • The supplier name is provided along with the drill down to review the supplier profile and full information held against that supplier
  • Supplier contact
  • Categories assigned to the supplier, which determine the question sets. Selecting the symbol allows the categories to be viewed in list form and to amend them.
  • Name of the division that own the relationship with the supplier
  • Name of the internal person owning the supplier relationship
  • Risk rating based on the responses to the questionnaire
  • Questionnaire status indicator: completed, in progress, questionnaire ready but not sent, no questionnaires
  • View questionnaires link

Suppliers Overview

Provides a graphical view on how many suppliers have been added to Abriska, the number categorised, registered, those that have started and/or completed a questionnaire, the number of questionnaires reviewed, and the number where a risk decision has been made.

Controls Effectiveness

Provides on a per control basis an overview of the control effectiveness for each supplier where the control has been assessed. This is a good way to quickly see whether there are common control weaknesses across the supply base and will support deep dive reviews on specific controls.

Add New Supplier

Suppliers are considered to be resources. Here you can add the supplier’s name, any abbreviation, a description of the service being delivered, location, internal owner of the relationship and the division which owns the relationship. There is a freeform field for additional information. Note that additional fields can be created on this form. Customise option: at the bottom of the screen, there is an option to ‘Customise’. Select this if you wish to change the default settings on the form, e.g. to make field completion mandatory Whenever you add or change data, remember to click ‘submit’

Return to Supplier Risk Management