Professional Documents
Culture Documents
Monitoring Supplier Risk
Monitoring Supplier Risk
Exporting Data and Running Reports on Supplier Risk and Related Activities. . . . . . . . . . . . . . . .307
Topics About Site Configuration Parameters for Setting Up SAP Ariba Supplier Risk. . . . . . . . . 340
Support-Enabled Site Configuration Parameters for SAP Ariba Supplier Risk. . . . . . . . . . . . . . . . . . . . 340
Self-Service Site Configuration Parameters for SAP Ariba Supplier Risk in Intelligent Configuration
Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Ability to select SAP business network as the data source for assessment responses . . . . . . . . 343
Add issue assignees to the assignee project group only. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Allow change requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Allow decision maker to skip an assessment response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Allow engagement Project Owner groups to inherit project group membership from the
template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Allow engagement requests with no supplier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Allow no-effectiveness option for control review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Allow users to create general and engagement-related findings . . . . . . . . . . . . . . . . . . . . . . . . . 349
Allow using control effectiveness levels to evaluate residual risk by risk domain. . . . . . . . . . . . . 349
Allow using issues to evaluate residual risk by risk domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Calculate engagement level residual risk by risk domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
Calculate inherent risk for engagements by risk domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Calculate supplier level inherent and residual risk by risk domain. . . . . . . . . . . . . . . . . . . . . . . .353
Calculate task due date based on predecessor completion date. . . . . . . . . . . . . . . . . . . . . . . . . 355
Create actions for control reviews and assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Create actions for engagement To Do and approval tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Define percentage-based scoring ratings and ranges for engagement questionnaires. . . . . . . . . 358
Define point-based scoring ratings and ranges for engagement questionnaires. . . . . . . . . . . . . .359
Define the amount of change allowed for engagement residual risk ratings. . . . . . . . . . . . . . . . .359
Disable participant view for supplier management questionnaires. . . . . . . . . . . . . . . . . . . . . . . 360
Enable action queue. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Enable advanced archiving workflow for engagement projects. . . . . . . . . . . . . . . . . . . . . . . . . . 362
Enable advanced engagement editing and canceling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Enable advanced send assessment workflow for engagement projects. . . . . . . . . . . . . . . . . . . . 363
Enable API updates for external modular questionnaires with any status. . . . . . . . . . . . . . . . . . 364
Enable assignee team management on issue projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
This guide is for SAP Ariba buyer users to monitor risk exposure and other risk-related data for suppliers, plus
manage engagements and risk alerts.
Buyers monitor the potential risk exposure of their current suppliers and assess the potential risk of new suppliers
before engaging with them for goods and services.
Related guides
At its simplest, SAP Ariba Supplier Risk alerts can bring critical incidents to your attention. For example, if there is a
natural disaster or production facility problem that affects a key supplier, you might need to search for alternatives.
Or if a supplier is sanctioned or put on a watch list, you might need to suspend purchase orders and contracts with
that supplier to avoid legal consequences.
But SAP Ariba Supplier Risk is useful for much more than reacting to emergencies. Risk data allows you to be
proactive in your supplier management decisions by doing things like:
Related Information
A supplier's risk exposure is a numerical value 1–100 that designates the supplier's level of risk, with 100 being the
riskiest and 1 the least risky. If a supplier's risk exposure shows as unknown, that means there isn't yet enough
information to calculate the exposure.
There are a number of different factors that affect a supplier's risk exposure, and those factors are weighted based
on your company's criteria. The factors include:
Note
Risk alerts less than 60 days old are used in the supplier's risk exposure calculation. It doesn't matter if they're
in the alert list or the archive list. Once the alert is 60 days old, it's no longer included in the supplier's risk
exposure calculation.
Alerts notify you of incidents that affect the supplier, and are based on news items and data about natural
disasters.
Note
SAP Ariba Supplier Risk maintains risk incidents from adverse media monitoring until they're 2 years old. At
that point, they're removed from the Alert feed tile on the Supplier Risk dashboard, the alert list, and the Risk
incidents tab in the supplier's 360° profile.
You can monitor supplier risk exposure and alerts on the Supplier Risk dashboard [page 77] and on the Risk tile in
individual supplier 360° profiles.
You can also customize the severity levels of the incidents that generate alerts [page 91] and subscribe to specific
incident alerts for specific suppliers [page 90].
Note
SAP Ariba Supplier Risk gathers data, including articles, news reports, company information, and other third-
party content, from multiple public and private service providers. This data often includes either links to
Related Information
Table 1:
Business expansion Business expansion The business seeks Financial Positive Low
out additional op-
portunities to in-
crease profit in-
cluding entering
new markets, re-
leasing new prod-
ucts, opening new
plants, or hiring on
a large scale.
Business expansion Challenger bank Events and activ- Financial Positive Low
ities related to
challenger banks.
Banks competing
with the traditional
banks, often online,
and prioritizing low
costs for their cus-
tomers.
Contract New sales con- Any kind of busi- Financial Positive Low
tracts ness or sales con-
tract except corpo-
rate partnerships,
ownership changes,
and joint ventures.
Corporate ban Corporate ban Any kind of ban or Regulatory and le- Negative Medium
legal prohibition is- gal
sued directly to or
by a company, in-
cluding sanctions,
and embargoes.
Corporate credit Credit rating and A statement pro- Financial Negative Medium
downgrading of a vided by an inde-
rating downgrade
company pendent agency re-
flecting a decrease
in the likelihood
that a corporation
will fully meet its fi-
nancial obligations.
Corruption and Corruption Acquiring an illicit Regulatory and le- Negative Medium
benefit usually by gal
bribery
bribery.
Corruption and Embezzlement A type of financial Regulatory and le- Negative Medium
fraud involving the gal
bribery
theft or misappro-
priation of funds
placed in one's
trust or belonging
to one's employer.
Corruption and Insider trading The illegal practice Regulatory and le- Negative Medium
of trading on the gal
bribery
stock exchange to
one's own advant-
age while having
access to confiden-
tial information.
Cyber security Blockchain technol- The implementa- Regulatory and le- Positive Low
ogy tion or use of block- gal
chain technology.
Cyber threats Backdoor vulnera- An undocumented Regulatory and le- Negative Medium
bility portal allowing an gal
administrator to
enter a computer
system to trouble-
shoot or do main-
tenance has been
compromised.
Cyber threats Buffer overflow at- The malicious ex- Regulatory and le- Negative Medium
tack ploitation of a fea- gal
ture used by a given
program to store
more data in a tem-
porary storage area
than it can hold.
Cyber threats Cyber breach This aggregates the Regulatory and le- Negative Medium
cyber threats inci- gal
dent type and all its
children. It's useful
if you don't need
to view the sub-in-
cidents.
Cyber threats Cyber espionage A form of cyber at- Regulatory and le- Negative Medium
tack used to obtain gal
classified, sensitive
data or intellectual
property to gain an
advantage over a
competitor or gov-
ernment entity.
Cyber threats Cyber squatting The registration, Regulatory and le- Negative Medium
trafficking in, or use gal
of an internet do-
main name with
the intent to profit
from the goodwill
of a trademark be-
longing to someone
else.
Cyber threats Cyber terrorism The use of comput- Regulatory and le- Negative Medium
ers and information gal
technology by ter-
rorists to cause se-
vere disruption or
widespread fear.
Cyber threats Cyber threats A vulnerability or Regulatory and le- Negative Medium
malicious attempt gal
to damage or dis-
rupt a computer
network or system.
Cyber threats Cybercrime A crime that in- Regulatory and le- Negative Medium
volves a computer gal
and a network. The
computer could
have been used in
the commission of
a crime, or it could
be the target.
Cyber threats Cyberwar The use of com- Regulatory and le- Negative Medium
puter technology to gal
disrupt the activi-
ties of a state, es-
pecially the deliber-
ate attacking of in-
formation systems
for strategic or mili-
tary purposes.
Cyber threats Data leak An unauthorized Regulatory and le- Negative Medium
disclosure of data gal
from within an or-
ganization to an ex-
ternal destination
or recipient.
Cyber threats Data privacy issues A failure to comply Regulatory and le- Negative Medium
with standards for gal
the handling and
protection of an
organization's per-
sonal or sensitive
data.
Cyber threats DDoS attack A distributed Regulatory and le- Negative Medium
denial-of-service gal
(DDoS) attack uses
multiple compro-
mised computer
systems to attack
a target, such as a
server, website or
other network re-
source, and cause
a denial of service
for users of the tar-
geted resource.
Cyber threats DNS attack An exploit where an Regulatory and le- Negative Medium
attacker takes ad- gal
vantage of vulner-
abilities in the Do-
main Name System
(DNS).
Cyber threats Hackers The unauthorized Regulatory and le- Negative Medium
access to, or con- gal
trol over, computer
network security
systems for some
illicit purpose.
Cyber threats Hacktivism The use of a com- Regulatory and le- Negative Medium
puter system or gal
network for a so-
cially or politically
motivated reason.
Cyber threats Identity theft In the context of Regulatory and le- Negative Medium
cyber security, the gal
crime of using an-
other persons per-
sonal information,
credit history, or
other identifying
characteristics in
order to make
purchases or bor-
row money without
that person's per-
mission.
Cyber threats Insider threat A malicious threat Regulatory and le- Negative Medium
to an organization gal
that comes from
employees, former
employees, con-
tractors, or busi-
ness associates
who have inside in-
formation concern-
ing the organiza-
tion's security prac-
tices, data, and
computer systems.
Cyber threats Keylogging The use of a com- Regulatory and le- Negative Medium
puter program to gal
record every key-
stroke made by a
computer user, es-
pecially in order to
gain fraudulent ac-
cess to passwords
and other confiden-
tial information.
Cyber threats Malware threat Malicious software Regulatory and le- Negative Medium
designed to infil- gal
trate and damage
computers without
a users consent.
Cyber threats Phishing threat A type of social en- Regulatory and le- Negative Medium
gineering attack of- gal
ten used to steal
user data, includ-
ing login creden-
tials and credit card
numbers.
Cyber threats Poor data security A lack of protec- Regulatory and le- Negative Medium
tive digital meas- gal
ures that are ap-
plied to prevent un-
authorized access
to computers, da-
tabases, and web-
sites.
Cyber threats Social engineering In the context of Regulatory and le- Negative Medium
attack cyber security, the gal
psychological ma-
nipulation of peo-
ple into performing
actions or divulg-
ing confidential in-
formation.
Cyber threats Spyware threat The risk of software Regulatory and le- Negative Medium
gathering informa- gal
tion about a per-
son or organization,
sometimes without
their knowledge.
Cyber threats SQL attack A security exploit Regulatory and le- Negative Medium
where the attacker gal
adds Structured
Query Language
(SQL) code to a
web form input box
to gain access to
resources or make
changes to data.
Cyber threats TCP flood attack A type of DDoS at- Regulatory and le- Negative Medium
tack that exploits gal
part of the nor-
mal Transmission
Control Protocol
( TCP) three-way
handshake to con-
sume resources on
the targeted server
and render it unre-
sponsive.
Cyber threats UDP flood attack A type of DDoS at- Regulatory and le- Negative Medium
tack where the at- gal
tacker overwhelms
random ports on
the targeted host
with IP packets
containing User Da-
tagram Protocol
(UDP) datagrams.
Cyber threats VOIP vulnerability A security vulnera- Regulatory and le- Negative Medium
bility related to the gal
Voice Over Internet
Protocol (VOIP).
Cyber threats Vulnerability In the context of Regulatory and le- Negative Medium
cyber security, the gal
state of being ex-
posed to the pos-
sibility of being at-
tacked or harmed.
Cyber threats Web drive by A form of malware Regulatory and le- Negative Medium
typically found on gal
compromised web
pages.
Cyber threats Web server com- An infected web Regulatory and le- Negative Medium
promise server. gal
Cyber threats Website deface- An attack on a web- Regulatory and le- Negative Medium
ment site that changes gal
the visual appear-
ance of the site or
a webpage.
Deteriorating finan- Credit risk The risk of default Financial Negative Medium
on a debt.
cial situation
cial situation
Deteriorating finan- Financial risks Any kind of situa- Financial Negative Medium
tion that could lead
cial situation
to financial loss. For
example, budget
overrun, problems
with payment, col-
lection problems.
Environmental and Anticompetitive be- A position stifling Environmental and Negative Medium
havior or limiting free and social
social issue
fair competition in
a market.
Environmental and Anti-diversity be- The exclusion of Environmental and Negative Medium
havior people due to dif- social
social issue
ferences in the
background, eth-
nicity, race, sexual
orientation, and so
on.
Environmental and Association against An effort to weaken Environmental and Negative Medium
unions or diminish the in- social
social issue
fluence and power
of labor organiza-
tions that endeavor
to improve the eco-
nomic status and
conditions of work-
ers.
Environmental and Bonded labor When a person is Environmental and Negative Medium
forced to work to social
social issue
pay off a debt and
usually loses con-
trol over the condi-
tions of both their
employment and
the debt.
Environmental and Chemical oil spill Any environmental Environmental and Negative Medium
social
social issue disaster involving
chemicals, oils, or
their by-products.
Environmental and Child labor viola- The illegal or exploi- Environmental and Negative Medium
tions tative employment social
social issue
of children in an in-
dustry or business.
Environmental and Child slavery When a child has Environmental and Negative Medium
fallen into invol- social
social issue
untary servitude.
For example, due
to child traffick-
ing, child soldier-
ing, child marriage,
and child domestic
slavery.
Environmental and Competitive busi- A business prac- Environmental and Negative Medium
ness retaliation tice that threatens social
social issue
competitive retalia-
tion, restricting new
entrants from en-
tering a market.
Environmental and Conflict commodi- The illegal practice Environmental and Negative Medium
ties contra of producing or social
social issue
trading natural re-
sources extracted
from a conflict zone
often to perpetuate
war or fighting.
Environmental and Corporate waste Issues related to Environmental and Negative Medium
management a company's treat- social
social issue
ment or disposal of
the waste produced
through its opera-
tions.
Environmental and Data privacy risk Practices that put Environmental and Negative Medium
at risk the protec- social
social issue
tion and dissemina-
tion of personal or
private information
about individuals or
organizations.
Environmental and Disrespect of biodi- A failure to respect Environmental and Negative Medium
versity the range of ecolog- social
social issue
ical communities
that species form.
Environmental and Emissions stand- A breach of vehicle Environmental and Negative Medium
ards breach or industrial emis- social
social issue
sions standards
that results in pol-
lutants being re-
leased into the en-
vironment.
Environmental and Employee work- An instance when Environmental and Negative Medium
place misconduct an employee fails to social
social issue
exercise due care
or doesn't fulfill his
or her duties ac-
cording to an ex-
pected standard,
including an em-
ployee's violation
of the company's
code of conduct,
and misconduct in
the workplace.
Environmental and Employer health A failure of an em- Environmental and Negative Medium
safety violation ployer to properly social
social issue
account for the
safety, health, and
comfort of its work-
ers.
Environmental and Environmental neg- A failure to take Environmental and Negative Medium
ligence reasonable care for social
social issue
the natural environ-
ment and its re-
sources.
Environmental and Evacuation The act of mov- Environmental and Negative Medium
ing people from a social
social issue
dangerous place to
safety.
Environmental and Female discrimina- Prejudice or dis- Environmental and Negative Medium
tion crimination affects social
social issue
women and girls
due to their gender.
Environmental and Forced labor Coercion to work Environmental and Negative Medium
through the use of social
social issue
violence or intimi-
dation.
Environmental and Fraudulent busi- Business practices Environmental and Negative Medium
ness practice that encompass social
social issue
fraud, misrepresen-
tation, and oppres-
sive or unconscion-
able acts or prac-
tices by business,
often against con-
sumers.
Environmental and Human workplace A failure to support Environmental and Negative Medium
rights negligence human rights and social
social issue
maintain a work en-
vironment that re-
flects respect for
human rights.
Environmental and Human rights con- Risks to the ba- Environmental and Negative Medium
cerns sic rights and free- social
social issue
doms that all hu-
mans are entitled.
Environmental and Improper use Negligent practices Environmental and Negative Medium
and/or disposal of involving the use, social
social issue
Persistent Organic storage, and dis-
Pollutants (POPs) posal of Persistent
and other toxic Organic Pollutants
chemicals and other toxic
chemicals which
have the potential
for harm to human
health or the envi-
ronment.
Environmental and Inappropriate use Failure to ade- Environmental and Negative Medium
of security forces quately train or social
social issue
instruct security
forces, or failure
of security forces
to work in conjunc-
tion with local com-
munities, leading
to human rights
abuses or security
incidents.
Environmental and Inexpensive cloth- Inexpensive cloth- Environmental and Negative Medium
ing manufacturing ing produced and social
social issue
marketed to con-
sumers in response
to the latest fashion
trends.
Environmental and Labor rights viola- A breach of rights Environmental and Negative Medium
tion having to do with social
social issue
labor relations be-
tween workers and
their employers,
usually obtained
under labor and
employment law.
Environmental and Laboratory animals Practices that don't Environmental and Negative Medium
negligence take into account social
social issue
the welfare, care,
and treatment of
animals used in lab-
oratory testing.
Environmental and Lack of transpar- The failure of Environmental and Negative Medium
ency in business a business to social
social issue
practices be open about
its goals, history,
performance, oper-
ations, traceability
of suppliers, and
components.
Environmental and Marriage of chil- Generally under- Environmental and Negative Medium
dren stood to involve social
social issue
girls as young as 7
or 8 who are forced
by their families to
marry much older
men. The practice
exposes girls to
increased health
problems and vio-
lence, and perpetu-
ates a cycle of pov-
erty and gender in-
equality.
Environmental and Modern slavery The recruitment, Environmental and Negative Medium
movement, harbor- social
social issue
ing or receiving of
children, women or
men through the
use of force, coer-
cion, deception, or
other means for the
purpose of exploi-
tation.
Environmental and Negative agricul- Practices such as Environmental and Negative Medium
tural practices intensive animal social
social issue
production, over-
use of antibiotics,
monoculture farm-
ing, land conver-
sion, or activities
that lead to habi-
tat loss, river and
groundwater pollu-
tion, soil erosion,
and such.
Environmental and Negligent use Negligent use Environmental and Negative Medium
and/or disposal of of mercury social
social issue
mercury and/or mercury
compounds and
improper treatment
of mercury waste.
Environmental and Negligent waste Practices that don't Environmental and Negative Medium
management prac- sufficiently ensure social
social issue
tices the sustainable
management of
waste such as land-
fill waste, off-gas-
sing from plastic
production, radio-
active waste, and
so on.
Environmental and Packaging negli- The use of unsus- Environmental and Negative Medium
gence tainable packaging social
social issue
methods, such as
overpackaging, the
unnecessary use of
nonbiodegradable
packaging, and so
on.
Environmental and Poor recycling A failure to en- Environmental and Negative Medium
practices sure products can social
social issue
be easily and eco-
nomically recycled.
Such practices can
lead to surface wa-
ter contamination,
uncontrolled waste,
and so on.
Environmental and Poor supply chain Deficiencies in an Environmental and Negative Medium
practices organization’s sup- social
social issue
ply chain or logis-
tics network that
could lead to envi-
ronmental damage,
undue risk, waste
costs, late or ex-
tended payment
terms, and so on.
Environmental and Poor water man- Practices, strat- Environmental and Negative Medium
agement practices egies, and activi- social
social issue
ties that jeopard-
ize the sustaina-
ble management
of fresh water, in-
cluding contamina-
tion, poor wastewa-
ter management,
and the release of
harmful substances
into water sources.
Environmental and Population contra A failure to pro- Environmental and Negative Medium
mote activities, social
social issue
practices, and pro-
grams aimed at en-
suring a sustaina-
ble population. This
increases pressure
on the planet's re-
sources. For exam-
ple, water scarcity,
land use, and an in-
crease in carbon di-
oxide emissions.
Environmental and Product negligence A failure to suffi- Environmental and Negative Medium
ciently ensure that social
social issue
a product is safe
and suitable. For
example, lack of lia-
bility and due care,
the using of dan-
gerous substances
and chemicals, un-
expected side ef-
fects, and so on.
Environmental and Radioactive con- The unintended Environmental and Negative Medium
tamination social
social issue presence of radio-
active substances.
Environmental and Sex trafficking The practice of il- Environmental and Negative Medium
legally transporting social
social issue
people from 1 coun-
try/region or area
to another for the
purpose of sexual
exploitation.
Environmental and Terrorism support Activities support- Environmental and Negative Medium
ing the goals and social
social issue
use of terrorism.
Environmental and Transportation con- Transport that isn't Environmental and Negative Medium
tra socially and en- social
social issue
vironmentally sus-
tainable, doesn't
use renewable en-
ergy sources, and
so on.
Environmental and Unethical opera- The failure of a Environmental and Negative Medium
tions business to adhere social
social issue
to both the regu-
latory and ethical
consideration in its
operations.
Environmental and Unethical practice An action that falls Environmental and Negative Medium
outside of what is social
social issue
considered morally
right or proper for
a person, a profes-
sion, or an industry.
Environmental and Unethical work- Actions that fall Environmental and Negative Medium
place practices outside of what social
social issue
is considered mo-
rally right or proper
for an employee,
company represen-
tative, profession,
or industry.
Environmental and Unfair hours and A failure to pay Environmental and Negative Medium
wages workers fairly for social
social issue
their time spent
working or expect
them to work lon-
ger hours than local
legislation dictates.
Environmental and Unlawful infringe- Any kind of unlaw- Environmental and Negative Medium
ment of land rights ful eviction of land, social
social issue
such as denial of
the right of owner-
ship or land grab-
bing.
Environmental and Unsustainable en- The production or Environmental and Negative Medium
ergy use use of energy re- social
social issue
sources in an un-
ethical or unsus-
tainable method.
Environmental and Unsustainable ethi- Practices that don't Environmental and Negative Medium
cal practices support sustaina- social
social issue
ble or ethical ap-
proaches, behavior,
etc.
Environmental and Unsustainable prin- Refers to practices Environmental and Negative Medium
ciples that are exploita- social
social issue
tive, inhumane, ne-
glectful, nontrans-
parent, noncompli-
ant, unsustainable,
unethical, and so
on.
Environmental and Unsustainable A failure to buy sus- Environmental and Negative Medium
product consump- tainable products social
social issue
tion and services that
have a minimal
impact on the
environment. The
growth of human
population, and
consumption are
principal factors
affecting climate
change.
Environmental and Unsustainable use The use of natural Environmental and Negative Medium
of resources resources in a way social
social issue
that leads to their
long-term decline.
Environmental and Water contamina- The contamination Environmental and Negative Medium
tion of any kind of wa- social
social issue
ter body including
ground water and
tap water, usually
as a result of hu-
man activities.
Environmental and Whistleblowing and Retribution taken Environmental and Negative Medium
workplace retalia- against an em- social
social issue
tion ployee who com-
plains of fraud,
illegal activities,
or other wrongful
dealings in the
workplace.
Environmental and Workplace prejudi- The unfair treat- Environmental and Negative Medium
ces ment of employees social
social issue
based on prejudi-
ces.
Environmental and Workplace training A failure to provide Environmental and Negative Medium
negligence adequate training social
social issue
to staff.
Ethical practice Against modern Opposition to mod- Environmental and Positive Low
slavery ern slavery. For social
example, human
trafficking, compel-
led labor, coercive
practices, and so
on.
Ethical practice Animal well-being Practices that con- Environmental and Positive Low
sider all aspects of social
animal well-being,
including proper
housing, manage-
ment, nutrition, dis-
ease prevention,
and treatment.
Ethical practice Child labor opposi- Any initiative or Environmental and Positive Low
tion event opposed to social
the employment
of children. Espe-
cially, when illegal
or considered ex-
ploitative.
Ethical practice Competitive behav- A position advocat- Environmental and Positive Low
ior ing free and fair social
competition in a
market.
Ethical practice Corruption preven- Any initiative de- Environmental and Positive Low
tion signed to eradicate social
or prevent dishon-
est or fraudulent
conduct, typically
involving bribery.
Ethical practice Data privacy practi- Practices that en- Environmental and Positive Low
ces sure data belonging social
to users, such as
customers, is prop-
erly handled and in
a manner compli-
ant with regulatory
concerns.
Ethical practice Discrimination free A workplace that Environmental and Positive Low
workplace shows no tolerance social
for the unfair treat-
ment of employees
based on prejudi-
ces.
Ethical practice Diversity and inclu- Efforts to promote Environmental and Positive Low
sion in the work- the collective mix- social
place ture of differen-
ces and similarities
within a workplace
or team and ensure
that all individuals
are treated fairly
and have equal ac-
cess to opportuni-
ties and resources.
Ethical practice Diversity inclusion A concept encom- Environmental and Positive Low
passing acceptance social
and respect for an
individual's ideas,
viewpoints, back-
grounds, and so on.
Ethical practice Employee health Initiatives aimed Environmental and Positive Low
and safety initia- at ensuring safety, social
tives well-being, and
health at the work-
place.
Ethical practice Environmental best Measures and Environmental and Positive Low
practices strategies aimed at social
minimizing the im-
pact of an activity
on nature and the
environment.
Ethical practice Ethical compliance The adherence of Environmental and Positive Low
the business to social
both regulatory and
ethical considera-
tion in its opera-
tions.
Ethical practice Ethical practices An entity is behav- Environmental and Positive Low
ing ethically. For ex- social
ample, using eco-
logical, sustainable
practices, promot-
ing zero-waste, a
cage-free environ-
ment, and so on.
Ethical practice Ethically sourced Efforts to ensure Environmental and Positive Low
materials supply chains don't social
rely on materials
that are sourced
from conflict or war
zones and would
consequently sup-
port or prolong the
conflict.
Ethical practice Fair hours and Any initiative aimed Environmental and Positive Low
wages at obtaining or social
protecting workers'
rights to minimum
wage, overtime pay,
and record keeping.
Ethical practice Fair labor practices A commitment to Environmental and Positive Low
the fair and equi- social
table treatment of
employees.
Ethical practice Fair trade Practices that en- Environmental and Positive Low
courage companies social
in developed coun-
tries/regions to pay
fair prices to pro-
ducers in devel-
oping countries/re-
gions.
Ethical practice Green product mar- The marketing of Environmental and Positive Low
keting products or serv- social
ices based on
their environmental
benefits. For exam-
ple, improvements
to the production
process, sustaina-
ble packaging, and
so on.
Ethical practice Initiatives for toxic Practices and/or Environmental and Positive Low
chemicals reduc- initiatives aiming social
tion towards the reduc-
tion or elimination
of toxic chemicals,
thereby lessening
the impact on cli-
mate, ecosystems
and biodiversity.
Ethical practice Local supplier sup- Preferential sup- Environmental and Positive Low
port port for local serv- social
ice providers and
producers, includ-
ing respect their
needs and require-
ments.
Ethical practice Opposed to com- A business prac- Environmental and Positive Low
petitive business tice that doesn't social
retaliation threaten competi-
tive retaliation, al-
lowing new en-
trants to enter a
market.
Ethical practice Opposition of child Opposition to the Environmental and Positive Low
marriage marriage of girls social
as young as 7 or
8 who are forced
by their families to
marry much older
men exposing them
to increased health
problems and vio-
lence.
Ethical practice Opposition to ter- Any movement or Environmental and Positive Low
rorism initiative that op- social
poses the use of
terrorism.
Ethical practice Packaging best Efforts made to Environmental and Positive Low
practices ensure products social
are packaged with
minimal impact to
the environment.
For example, quan-
tity of materials
used, resources
needed to trans-
port, waste dis-
posal, biodegrada-
ble packaging.
Ethical practice Positive agriculture Farming practices Environmental and Positive Low
practices that produce suffi- social
cient food while re-
specting the envi-
ronment.
Ethical practice Positive business An enterprise that Environmental and Positive Low
practices has minimal neg- social
ative impact on
the global or local
environment, com-
munity, society,
or economy, often
having progressive
environmental and
human rights poli-
cies.
Ethical practice Positive waste Activities such as Environmental and Positive Low
management prac- recycling, compost- social
tices ing, reusing, and re-
ducing waste that
help to minimize
the amount of
waste.
Ethical practice Pro labor rights Promoting the Environmental and Positive Low
rights of workers. social
For example, pay,
benefits, and safe
working conditions.
Ethical practice Quality manufac- Practices ensuring Environmental and Positive Low
turing quality manufactur- social
ing to lengthen the
life of the garment
encouraging slower
production sched-
ules, fair wages,
lower carbon foot-
prints, and ideally
zero waste.
Ethical practice Recycling best Efforts made to en- Environmental and Positive Low
practices sure products can social
be easily and eco-
nomically recycled,
or products that al-
ready use recycled
materials.
Ethical practice Sustainable use of The use of natural Environmental and Positive Low
resources resources in a way social
that doesn't lead
to their long-term
decline, maintains
their potential to
meet the needs of
a society, and limits
the impact on the
environment.
Ethical practice Responsible pur- All purchasing Environmental and Positive Low
chasing practices processes follow social
ethical and sustain-
able principles and
show respect for
society and the en-
vironment.
Ethical practice Retaliation free An effort to pro- Environmental and Positive Low
workplace vide a working envi- social
ronment where em-
ployees don't fear
any punishment
or negative conse-
quences due to
their participation
in legally protected
activities such as
whistleblowing.
Ethical practice Startup friendly Welcoming or ac- Environmental and Positive Low
commodating to social
young, newly estab-
lished businesses.
Ethical practice Support of emis- Efforts to lower the Environmental and Positive Low
sion standards amount of carbon social
dioxide and green-
house gases cre-
ated by productive
activities.
Ethical practice Support of human Promotion and sup- Environmental and Positive Low
and workplace port of human social
rights rights; a work en-
vironment that re-
flects a respect for
human rights.
Ethical practice Support of unions Support for organ- Environmental and Positive Low
ized associations of social
workers with the
aim of improving
their economic sta-
tus and working
conditions.
Ethical practice Supportive of train- Promotion of ongo- Environmental and Positive Low
ing ing education and social
training of employ-
ees.
Ethical practice Sustainable princi- Refers to responsi- Environmental and Positive Low
ples bility, sustainability, social
transparency, inclu-
sion, sound envi-
ronmental or ethi-
cal practices, and
so on.
Ethical practice Sustainable and Any positive posi- Environmental and Positive Low
ethical practices tion related to sus- social
tainable and ethical
practices.
Ethical practice Sustainable com- Any positive initia- Environmental and Positive Low
munities tive to promote social
sustainable com-
munities with a
focus on urban
infrastructure, so-
cial equity, local
government, envi-
ronmental and eco-
nomic sustainabil-
ity.
Ethical practice Sustainable energy The principle where Environmental and Positive Low
use human use of en- social
ergy meets the
needs of the
present without
compromising the
ability of future
generations, while
also using ethical
and sustainable
methods to deliver
the energy.
Ethical practice Sustainable innova- Research and de- Environmental and Positive Low
tion and R&D velopment that social
takes into ac-
count environmen-
tal, social, ethical,
and economic con-
cerns.
Ethical practice Sustainable prod- The use of prod- Environmental and Positive Low
uct consumption ucts and services social
that have a minimal
impact on the envi-
ronment.
Ethical practice Sustainable prod- Ethically based Environmental and Positive Low
uct development product develop- social
ment and pro-
duction practices
that provide envi-
ronmental, social,
and economic ben-
efits while protect-
ing public health
and environment
over their whole life
cycle.
Ethical practice Sustainable supply A supply chain or Environmental and Positive Low
chain logistics network social
that is ethically
based and sustain-
able in terms of its
impact on the en-
vironment, waste,
and so on.
Ethical practice Sustainable trans- Transport that is Environmental and Positive Low
portation socially and en- social
vironmentally sus-
tainable, uses re-
newable energy
sources, and so on.
Ethical practice Water conservation All practices, strat- Environmental and Positive Low
and protection egies, and activities social
to sustainably man-
age the natural re-
source of fresh wa-
ter.
Financial penalty Financial penalty A fine that a corpo- Financial Negative Medium
ration must pay as
a result of breaking
a law, regulation, or
terms of a contract.
Geopolitical issue Border issues Any incident oc- Operational Negative Low
curring around
a country/region
border such as
disputes, provoca-
tions, attacks, in-
trusions, strikes, or
closures.
Geopolitical issue Car bombing The act of delib- Operational Negative Low
erately detonating
an explosive device
with the use of a
car.
Geopolitical issue Civil disobedience The refusal to com- Operational Negative Low
ply with certain
laws considered
unjust, usually as a
nonviolent form of
political protest.
Geopolitical issue Credit rating down- A statement pro- Operational Negative Low
grade of a coun- vided by an inde-
try/region pendent agency re-
flecting a decrease
in the likelihood
that a country/re-
gion will fully meet
its financial obliga-
tions.
Geopolitical issue Hate crime A crime that occurs Operational Negative Low
when a perpetrator
targets a victim or
group of victims
belonging to a cer-
tain social group or
race.
Geopolitical issue Militant incident Any violent act in Operational Negative Low
support of a politi-
cal or social cause.
Geopolitical issue Spy affair An event that could Operational Negative Low
involve some form
of espionage and
was publicized.
Geopolitical issue Suicide bombing Any violent attack Operational Negative Low
where the attacker
expects their own
death as a well as
the death of others.
Geopolitical issue Terrorist bombing Any bomb incident Operational Negative Low
possibly related to
terrorism.
Illegal trade Human organ traf- The illegal trade of Regulatory and le- Negative Medium
ficking human organs, tis- gal
sues, or other body
parts.
Illegal trade Human trafficking The practice of il- Regulatory and le- Negative Medium
legally transporting gal
people from 1 coun-
try/region or area
to another, typically
for the purposes
of forced labor or
commercial sexual
exploitation.
Illegal trade Illegal trade The action of buy- Regulatory and le- Negative Medium
ing and selling pro- gal
hibited goods and
services.
Illegal trade Women trafficking The recruitment, Regulatory and le- Negative Medium
transportation, gal
transfer, harboring,
or receipt of
women and girls for
the purpose of slav-
ery, forced labor,
and sexual exploita-
tion.
Intellectual prop- Copyright viola- The use of works Regulatory and le- Negative High
tions protected by copy- gal
erty infringement
right law without
permission.
Intellectual prop- Intellectual prop- The violation of Regulatory and le- Negative High
erty infringement an intellectual gal
erty infringement
property right.
For example, copy-
rights, patents,
trademarks, and so
on.
Intellectual prop- Patent infringe- The use of a pa- Regulatory and le- Negative High
ment tented invention gal
erty infringement
without permission
from the patent
holder.
Intellectual prop- Trademark infringe- The unauthorized Regulatory and le- Negative High
ment use of a trademark gal
erty infringement
to promote com-
peting goods and
services.
International sanc- International sanc- The imposition Regulatory and le- Negative High
tions of commercial gal
tions
and financial pen-
alties by one or
more countries/re-
gions against a tar-
geted self-govern-
ing state.
Joint ventures part- Corporate partner- Any kind of part- Financial Positive Low
ships nership between a
nership
company and any
other organization.
For example, an-
other company or
university.
Joint ventures part- Joint ventures A business entity Financial Positive Low
created by two or
nership
more parties, gen-
erally characterized
by shared owner-
ship, returns and
risks, and gover-
nance.
Labor issue General strike Strike action where Operational Negative Low
a substantial pro-
portion of the total
labor force in a city
or country/region
participates.
Labor issue Human rights viola- The abuse, neglect, Operational Negative Low
tions or denial of ba-
sic human rights,
including civil, po-
litical, cultural, so-
cial, and economic
rights.
Labor issue Labor dispute Strike action or in- Operational Negative Low
dustrial action un-
dertaken by labor
unions.
Legal issue Accused An entity blaming Regulatory and le- Negative Medium
or being blamed by gal
another entity for
something illegal or
wrong.
Legal issue Arbitration A proceeding where Regulatory and le- Negative Medium
a dispute is re- gal
solved by an impar-
tial adjudicator out-
side the courts.
Legal issue Boycott The nonviolent, in- Regulatory and le- Negative Medium
tentional, and coor- gal
dinated abstinence
from any kind of
dealings with a per-
son, company, or-
ganization, or coun-
try/region. Usually
arranged as a form
of protest mainly
for moral, environ-
mental, or political
reasons.
Legal issue Company is subject Any case where Regulatory and le- Negative Medium
of corporate lawsuit a given company gal
is the subject of
legal proceedings
taken by another
company.
Legal issue Complaints A statement high- Regulatory and le- Negative Medium
lighting an issue gal
or expressing criti-
cism.
Legal issue Corporate crime A crime committed Regulatory and le- Negative Medium
either by a corpora- gal
tion, or by individu-
als acting on behalf
of a corporation, or
other business en-
tity.
Legal issue Corporate lawsuit Any case where Regulatory and le- Negative Medium
against another a given company gal
company is taking legal pro-
ceedings against
another.
Legal issue Corporate lawsuits The entire process Regulatory and le- Negative Medium
of a company is- gal
suing a lawsuit
against another
company or vice
versa.
Legal issue Counterfeiting An imitation made Regulatory and le- Negative Medium
with the intent to gal
deceive.
Legal issue Criminal procedure Any step within the Regulatory and le- Negative Medium
criminal procedure gal
taken against the
entity of interest.
Legal issue Expropriation When a country/re- Regulatory and le- Negative Medium
gion or government gal
seizes the property
rights of an individ-
ual.
Legal issue Extortions The practice of ob- Regulatory and le- Negative Medium
taining something, gal
especially money,
through the use of
force or threats.
Legal issue Feud A prolonged and Regulatory and le- Negative Medium
bitter quarrel or gal
dispute between 2
individuals, groups,
societies, or com-
panies.
Legal issue Fraud and forgery Any kind of de- Regulatory and le- Negative Medium
ception, scam, or gal
deceit. Forgery in-
volves a false docu-
ment, signature, or
other imitation of
an object of value
used with the intent
to deceive another.
Those who commit
forgery are often
charged with the
crime of fraud.
Legal issue Racket An organized crim- Regulatory and le- Negative Medium
inal act to earn il- gal
legal or extorted
money regularly or
briefly but repeat-
edly.
Legal issue Ransom The practice of Regulatory and le- Negative Medium
holding a person or gal
item with the aim
to extort money
or property in ex-
change for their re-
lease.
Natural disaster Drought and heat A period of sev- Operational Negative High
wave eral days to weeks
of abnormally hot
weather that is of-
ten associated with
droughts.
or aftershock of the
earth's surface.
Natural disaster
monitoring pro-
vided by Global Dis-
aster Alert and Co-
ordination System
(GDACS)
Natural disaster Earthquake erup- Any tremor, shock, Operational Negative High
tion tsunami or aftershock of the
earth's surface.
flow of water
(usually of rivers
and sea) that sub-
merges land that is
usually dry.
Natural disaster
monitoring pro-
vided by Global Dis-
aster Alert and Co-
ordination System
(GDACS)
Natural disaster Landslide and ava- A large mass of Operational Negative High
lanche snow, rocks, mud,
or debris suddenly
detaching from a
mountain or hill-
side.
Natural disaster Plant pests and dis- Agricultural viruses Operational Negative High
eases and diseases or in-
sects that endan-
ger plant life or ag-
ricultural harvest.
Natural disaster Wild and forest fire An uncontrolled fire Operational Negative High
occurring in wood-
land areas (bush
fire, desert fire,
grass fire, forest
fire), that can also
consume houses or
agricultural resour-
ces.
Open banking White label banking The implementa- Financial Positive Low
tion or use of White
Label Banking ena-
bles banks to im-
plement or use the
products developed
or manufactured by
other suppliers as
their own.
Operational disrup- Shut down Any kind of stop- Operational Negative Medium
page or suspen-
tion
sion.
Operational disrup- Stop work order A formal notice is- Operational Negative Medium
sued by a client
tion
or government au-
thority to stop or
halt work.
Ownership change Acquisition of an- Any case where a Financial Negative Medium
other company company is acquir-
ing another com-
pany.
Ownership change Asset sales The sale of assets Financial Negative Medium
by a company to
increase cash flow,
reduce bad debt
risk, and liquidate
assets.
Ownership change Buying selling stake The purchase or Financial Negative Medium
sale of a stake that
affects the owner-
ship of a company.
Ownership change Mergers and ac- Two existing com- Financial Negative Medium
quisitions panies unite into
one new company,
or one company
gains control of an-
other one by pur-
chasing most or all
of the shares.
Ownership change Selling stake The selling of a suf- Financial Negative Medium
ficiently large equity
stake in a company.
Price increase Price increase The price increase Financial Negative Low
of goods and
services, excluding
stock prices.
Product issue Offlabel promotion Any case of off-la- Operational Negative Medium
bel promotion or
inappropriate mar-
keting. For exam-
ple, not comply-
ing with the regula-
tions.
Product issue Quality issues Any defects, defi- Operational Negative Medium
ciencies, or ques-
tionable variations
in the quality of a
product.
Product issue Supplier problems Any issue that a Operational Negative Medium
company can have
with a supplier.
Project issue Project failure All cases where a Operational Negative Medium
project, agreement,
or contract is re-
fused, rejected, or
canceled.
Public health Dangerous gene A change in genetic Environmental and Negative Low
mutations material (DNA) social
that results in se-
vere negative con-
sequences on the
health of the organ-
ism.
Public health Food poisoning All cases of con- Environmental and Negative Low
taminated or pois- social
oned food.
Regulatory compli- Conflict commodi- A high-value re- Regulatory and le- Negative High
ties source taken from gal
ance issue
an area of armed
conflict and traded
illicitly to finance
the fighting or
other illegal opera-
tions.
Regulatory compli- Conflict of interest A situation where Regulatory and le- Negative High
a person or organi- gal
ance issue
zation has multiple
interests, financial
or otherwise, and
serving one interest
could work to the
detriment of the
other.
Regulatory compli- Debarment When a compa- Regulatory and le- Negative High
ny's activities have gal
ance issue
been restricted due
to allegations of
fraud, mismanage-
ment, and similar
improprieties.
Regulatory compli- Dodd Frank Act A United States of Regulatory and le- Negative High
America federal law gal
ance issue
that places regula-
tion of the financial
industry into the
hands of the gov-
ernment.
Regulatory compli- Emerging danger A newly developing Regulatory and le- Negative High
or changing risk gal
ance issue
that could have a
major impact.
Regulatory compli- Fraudulent financial The intentional Regulatory and le- Negative High
reporting misrepresentation gal
ance issue
of a company's fi-
nancial statements
with the intent of
distorting its actual
operating perform-
ance and profitabil-
ity.
Regulatory compli- Hit by An entity is faced Regulatory and le- Negative High
with a new negative gal
ance issue
challenge or situa-
tion.
Regulatory compli- Illegal An act or object Regulatory and le- Negative High
that is forbidden gal
ance issue
by law, especially
criminal law.
Regulatory compli- Industrial espion- The illegal and un- Regulatory and le- Negative High
age ethical theft of gal
ance issue
trade secrets for
use by a competitor
to achieve a com-
petitive advantage.
Regulatory compli- Information leak An unintended loss Regulatory and le- Negative High
of information from gal
ance issue
an organization
usually occuring as
a result of employ-
ees passing infor-
mation to others ei-
ther deliberately or
accidentally.
Regulatory compli- Inspection The act of look- Regulatory and le- Negative High
ing at something gal
ance issue
carefully, or an offi-
cial visit to a build-
ing or organization
to check that ev-
erything is up to
a standard prescri-
bed by a given au-
thority.
Regulatory compli- Investigation The act of for- Regulatory and le- Negative High
mally and system- gal
ance issue
atically inquiring
into something or
someone.
Regulatory compli- Law violation An action that Regulatory and le- Negative High
breaks a law, agree- gal
ance issue
ment, principle,
or something that
should be treated
with respect.
Regulatory compli- Legal actions The process of en- Regulatory and le- Negative High
gaging the legal gal
ance issue
system to settle
an argument or dis-
pute.
Regulatory compli- License withdrawal A governing au- Regulatory and le- Negative High
thority or regula- gal
ance issue
tor withdraws, sus-
pends, revokes, or
refuses to issue a li-
cense. For example,
a bank or commer-
cial license.
Regulatory compli- Money laundering Concealing the Regulatory and le- Negative High
transformation of gal
ance issue
profits from illegal
activities and cor-
ruption into osten-
sibly "legitimate"
assets.
Regulatory compli- Nepotism The practice of fa- Regulatory and le- Negative High
voritism by some- gal
ance issue
one in a position
of power based on
either kinship or
friendship.
Regulatory compli- Regulatory compli- Issues or potential Regulatory and le- Negative High
ance issues violations in a com- gal
ance issue
pany's ability to ad-
here to the laws,
regulations, guide-
lines, and specifica-
tions relevant to its
business. This can
include any and all
violations, infringe-
ments, discrimina-
tions, unethical
practices, or fraud.
Regulatory compli- Reputation risk Any activity that Regulatory and le- Negative High
could lead to gal
ance issue
a damaged reputa-
tion.
Regulatory compli- Sabotage A deliberate action Regulatory and le- Negative High
aimed at destroy- gal
ance issue
ing, damaging, or
obstructing some-
thing.
Regulatory compli- Sanctions viola- Attempts by a com- Regulatory and le- Negative High
tions pany to bypass gal
ance issue
or negate the sanc-
tions imposed on a
country/region by
other countries/re-
gions.
Regulatory compli- Sarbanes Oxley A United States Regulatory and le- Negative High
of America fed- gal
ance issue
eral law that sets
new or expanded
requirements for
all USA public
company boards,
management, and
public accounting
firms.
Regulatory compli- Tax evasion The illegal avoid- Regulatory and le- Negative High
ance of taxes by in- gal
ance issue
dividuals, corpora-
tions, and trusts.
Regulatory compli- Whistleblower A person who in- Regulatory and le- Negative High
forms on a person gal
ance issue
or organization re-
garded as engaging
in an unlawful or
immoral activity.
Regulatory compli- Workplace discrimi- The unfair treat- Regulatory and le- Negative High
nation ment of employees gal
ance issue
based on prejudice
against age, race,
disability, gender,
religion, or sexual
orientation.
Regulatory compli- Workplace safety Any instance show- Regulatory and le- Negative High
negligence ing that a company gal
ance issue
has been negligent
and not provided
due care for the
health and safety of
its workers.
Sanctioned coun- Cuba sanctions An entity has Regulatory and le- Negative High
tries/regions a direct or indi- gal
rect relationship
with the sanctioned
country/region of
Cuba.
Sanctioned coun- Iran sanctions An entity has Regulatory and le- Negative High
tries/regions a direct or indi- gal
rect relationship
with the sanctioned
country/region of
Iran.
Sanctioned coun- North Korean sanc- An entity has Regulatory and le- Negative High
tries/regions tions a direct or indi- gal
rect relationship
with the sanctioned
country/region of
North Korea.
Sanctioned coun- Sanctioned coun- An entity has a di- Regulatory and le- Negative High
tries/regions tries/regions rect or indirect re- gal
lationship with the
listed sanctioned
country/region.
Sanctioned coun- Sudan sanctions An entity has Regulatory and le- Negative High
tries/regions a direct or indi- gal
rect relationship
with the sanctioned
country/region of
Sudan.
Sanctioned coun- Syria sanctions An entity has Regulatory and le- Negative High
tries/regions a direct or indi- gal
rect relationship
with the sanctioned
country/region of
Syria.
Sanctioned coun- Venezuela sanc- An entity has Regulatory and le- Negative High
tries/regions tions a direct or indi- gal
rect relationship
with the sanctioned
country/region of
Venezuela.
Sanctions and Sanctions By Risk Category Regulatory and le- Negative High
gal
watchlists Information API
for Supplier Risk
Exposure: The
API imports ex-
ternal sanction
and watchlist com-
pliance data.
Sanctions and Watchlists By Risk Category Regulatory and le- Negative High
gal
watchlists Information API
for Supplier Risk
Exposure: The
API imports ex-
ternal sanction
and watchlist com-
pliance data.
Transportation is- Air traffic problems Any disruption to Operational Negative Low
air traffic includ-
sue
ing strikes, cancel-
lations, and so on.
Transportation is- Air traffic security Any security re- Operational Negative Low
risk lated risk to air
sue
traffic such as a
ban on flights over
a country/region,
volcanic ash alerts,
bomb threats, and
so on.
Transportation is- Maritime security Any misfortune in- Operational Negative Low
risk volving waterborne
sue
transport including
maritime and in-
land waterway
transport.
Transportation is- Modern piracy The act of board- Operational Negative Low
ing any vessel with
sue
intent to commit
theft or any other
crime.
Related Information
These steps use findings to address risks raised in engagements. Depending on your site's configuration, you use
either findings or issue management projects to accomplish this task. Findings can include collaboration with both
the supplier and internal team members, while issues are always internal.
1. Add suppliers. Suppliers are added to your • Supplier data import: • Supplier requests: Sup-
site in one of the following Supplier Risk Data Import plier Request Project
ways: • Internal Supplier Re- Setup
• An administrator imports
quests • ERP integration: Prereq-
supplier data to add sup- uisites and Restrictions
pliers to your site. and Configuring Supplier
Data Integration in Your
• Suppliers are added to
SAP Ariba Site
your site through syn-
chronization with an inte-
grated ERP system.
• If your organization man-
ages suppliers using SAP
Ariba Supplier Lifecycle
and Performance or SAP
Ariba Supplier Informa-
tion and Performance
Management (new archi-
tecture), requesters can
add suppliers to your site
manually using supplier
requests, as part of the
supplier creation and on-
boarding process.
2. Analyze abstract risk. Use third-party data and ab- Topics About Monitoring Over- • Default providers: Setting
all Risk and Managing Alerts
stract risk analysis tools to as- the Data Sources Used
[page 77]
sess the risk exposure of your in Risk Exposure Calcula-
suppliers. You can obtain this tions
data in the following ways: • Additional licensed pro-
viders: Registering a
• Default providers in SAP
Third-Party Provider Li-
Ariba Supplier Risk.
cense
• Additional licensed pro-
viders in SAP Ariba Sup-
• Import of custom field
and compliance data:
plier Risk.
Risk Category Informa-
• Risk Category Informa-
tion API for Supplier Risk
tion API for Supplier Risk
Exposure
Exposure
3. Review risk exposure. Use the Supplier Risk dash- Supplier Risk Dashboard Topics About Configuring Risk
board to identify suppliers [page 77] Exposure
with a high risk exposure.
5. (Optional) Address a con- Create general findings to Creating a Finding [page 303] Setting Up Your Site to Allow
crete risk without an engage- explore detected risks with- Users to Create and Manage
ment request. out requesting an engagement Findings
with the supplier, and formu-
late a response.
6. Request engagements with Create engagement requests Requesting a New Engage- Setting Up Engagement Risk
selected suppliers to identify to identify inherent and resid- ment and Starting a Control-
Assessment Projects
and mitigate risks. ual risks and the applicable Based Risk Assessment [page
risk controls, and to collect in- 140] Use engagement attribute
formation on whether the con- mappings, engagement con-
trols are effective.
trol mappings, and risk con-
trol definitions to include
the standard human rights
self-assessment questionnaire
(SAQ) as an engagement as-
sessment Understanding the
Components of the Control-
Based Risk Assessment Proc-
ess
7. Obtain additional informa- Use the following options to • Standard human rights • Import of self-assess-
tion from suppliers.
get specific risk-related infor- self-assessment ques- ment questionnaire: Set-
mation from the suppliers as tionnaire (SAQ): Supplier ting Up a Modular Ques-
part of the engagements: Self-Assessments tionnaire to Import Sup-
8. Address concrete risks. When you've identified a con- Creating a Finding [page 303] Setting Up Your Site to Allow
crete risk, address it by creat- Users to Create and Manage
ing a finding that's associated Findings
with the engagement request
or one of its risk controls.
9. Collaborate on findings. Work together with internal Setting Up Your Site to Allow
• Working with Findings
and external parties to analyze Users to Create and Manage
the finding and formulate a re- • Managing Team Members Findings
sponse.
10. Review supplier residual When an engagement request • About Residual Risk • About Engagement-Level
risk scores.
is finally approved, it gener- for Control-Based En- Residual Risk
ates a residual risk rating. gagement Risk Assess- • Configuring Residual Risk
ments [page 136] Calculations by Risk Do-
Finding results are used in re-
sidual risk calculations if your
• Engagement Risk Infor- main
mation in a Supplier’s
site is configured to include
360° Profile [page 106]
them.
11. Review risk exposure for If your site calculates residual N/A Including residual risk ratings
the suppliers. in risk exposure requires map-
risk by risk domain, completed
ping between risk domains
engagement requests contrib-
and risk categories: Mapping
ute to the supplier's risk expo- Engagement Risk Domains for
sure. Risk Exposure
12. Periodically monitor and Use periodic reviews to keep • How to Process a Periodic • Adding Periodic and Ad
review.
tabs on engagement risk and or Ad Hoc Review for an Hoc Review to the En-
controls. Engagement [page 250] gagement Workflow
13. Use risk exposure in pro- Supplier risk exposure can be • Guided buying: Mitigating Use the Risk Exposure API to
curement processes. add risk exposure information
included in: Risk for Non-Catalog Pur-
in SAP S/4HANA: Risk Expo-
chases .
• Buying activities in sure API
guided buying.
• Guided sourcing: Viewing
Supplier Risk Information
• Sourcing activities in
from the Event Monitor-
guided sourcing.
ing Page
• Relevant processes in
SAP S/4HANA.
14. Run regular reports. Use reports and data exports • Exporting Data and Run- For analytical reporting: Creat-
available in SAP Ariba Supplier ning Reports on Supplier ing Analytical Reports
Risk to analyze and drill down Risk and Related Activi-
For APIs: SAP Ariba APIs
into supplier risk. ties [page 307]
The SAP Ariba Supplier Risk user interface has accessibility features to enable people with special needs to access
content and perform various tasks.
SAP Ariba has enhanced the accessibility of SAP Ariba Supplier Risk with the goal of eventually reaching adherence
with the Web Content Accessibility Guidelines (WCAG). The accessibility features include keyboard shortcuts,
screen reader functionality, color contrast, and tooltips.
• User interface elements are accurately labeled to ensure the users know what information can be entered in
the fields.
• User interface pages have titles that describe the purpose of the page/topic, helping the users to navigate
through the application.
• Tooltips are available for the user interface elements such as icons and graphics.
• Page elements now meet minimum contrast settings, which help users with disabilities see different page
sections and controls more clearly.
• Screen readers can now recognize and read more information for user interface elements.
• You can choose Show results or Close results to see and close the search results when searching and
selecting regions, commodity, or department.
Screen Readers
Note
Other screen reader programs can work but aren't officially tested by SAP Ariba.
Pages
SAP Ariba continues to enhance the accessibility of SAP Ariba Supplier Risk with the goal of eventually reaching
adherence with the Web Content Accessibility Guidelines (WCAG).
Keyboard Shortcuts
You can use the following keyboard shortcuts to navigate some of the user interface.
General Shortcuts
Shift + Tab To navigate to the previous user interface element on the page.
Up arrow Moves the focus to the same day of the week but for the previ-
ous week.
Down arrow Moves the focus to the same day of the week but for the next
week.
Tab
Space bar or Enter Opens the date picker and selects the date.
Reporting One or More Adverse Media Risk Incidents for Feedback [page 89]
Configuring Risk Incident Severity Levels and Email Notifications [page 91]
The Supplier Risk dashboard provides a high-level view of risk levels for your followed suppliers, to give you an
overall picture of the risk profile of your supplier base. You can use it as a starting point to identify and focus on
trends and recent activities of interest or concern. It includes several components:
• A Search bar, where you can search for all of your company's suppliers that have been added to SAP Ariba
Supplier Risk, whether or not you’re currently following (getting alerts for) them. In the search results, a green
check mark ( ) under the Follow column means you're following (getting alerts for) that supplier. A red X
( ) means you aren't following (getting alerts for) that supplier. You can check the box to follow or unfollow a
supplier. By default, the suppliers listed here are active in SAP Ariba Supplier Management solutions. You can
filter this list to show inactive suppliers by selecting Inactive suppliers from the dropdown list labeled Active
suppliers. This displays inactive suppliers in the list and changes the dropdown label to Inactive suppliers.
• An Actions tile, visible if the action queue [page 124] feature is enabled in your site and if you have open
approvals, To Do tasks, or other actions for engagement projects that you're assigned to either as an individual
or as a member of a project group. Clicking on the Actions tile opens the action queue.
• A Controls tile, visible in sites in which the Action queue and periodic review of risk controls features are
enabled, shows the number of controls for which you belong to the decision maker group. Clicking on the
Controls tile takes you to the Controls list page [page 206], where you can see the expiration date, status, and
other information about each control. From there, you can open a control and work with it using the Control
details page [page 208].
Note
The map and list of suppliers are collapsed by default. To expand the map, click the right-facing arrow
icon next to Show map on the dashboard.
Note
The interactive map on the Supplier Risk dashboard shows city names in different languages if you follow
suppliers from different regions. The languages come from the third-party provider, not your locale setting.
• A dropdown that allows you to specify one or more industries to display on the map. In addition to filtering
the map by industry, this dropdown also indicates the number of suppliers you have in each industry.
Industries in this list include industry name and NAICS code. If you select more than one industry, all
selected industries are reflected on the map. The number appearing in the dropdown label indicates how
many industries are selected. For example, if you select three industries in the dropdown, the dropdown
label changes to Industry (3).
Color Description
Gray Risk is present in the country/region, but the level of risk is negligible
Color coding of map regions reflects the filters applied to the map. If the dropdown displays All risk types, the
color coding indicates exposure based on all risk types.
Note
If the parameter to remove WEF country/region risk [page 391] has been enabled, the map shows the
number of your active suppliers in each country/region instead of the country/region risk levels.
When you click Apply the map displays the number of suppliers in the selected industry with the specified risk
level that are present in each country/region, based on what you selected in the dropdowns.
You can click on the map to zoom in, allowing you to view more specific geographical areas. At the most
specific levels, rather than displaying a number of suppliers, the map displays a pin for each supplier. Pins are
color coded to indicate risk level using the same color scheme as the map.
Clicking a supplier's pin on the map opens a popup describing that supplier. This popup includes the name and
location information for the supplier, potential risk exposure, and a link to the supplier 360° profile page.
• A supplier table located directly beneath the interactive map. This table lists information about the active
suppliers currently displayed on the map.
Note
Thisn't table is the same as the supplier search table that displays search results when you use the Search
bar. The supplier Search results displayed from the Search bar aren't tied to the interactive map.
The table under the interactive map includes each supplier's company name, location, the risk exposure for the
country/region, and the supplier's potential risk exposure, a supplier-specific risk exposure for the specified
industry. All columns can be filtered, and by default the table is organized according to risk exposure. If you
wish to submit one or more displayed suppliers for risk evaluation, you can check their checkboxes in the
Select column and then click Submit for risk evaluation at the foot of the table.
Note
You can also submit suppliers for risk evaluation from the supplier search page.
Note
The supplier's country/region rankings won't be in the columns under the map if the parameter to remove
WEF country/region risk [page 391] has been enabled.
Note
Enriched corporate information is only available in the full SAP Ariba Supplier Risk solution.
In supplier search results, the supplier table below the interactive map, and the tiles of the Engagement Requests
area, you can perform the following actions:
In the supplier search results and the table below the interactive map, you can submit suppliers for risk evaluation
by checking their Select checkboxes and then clicking Submit for risk evaluation.
Related Information
Note
The full list of languages in which adverse media articles are presented:
• Chinese (simplified)
• English
• French
• German
• Italian
• Korean
• Portuguese
Note
Risk incidents from adverse media monitoring are maintained until they are 2 years old.
In order to see alerts for a supplier in the alert list, you must follow the supplier [page 90].
To access the alert list, click the Go to alerts link in the Alert feed tile on the Supplier Risk dashboard.
The alert list shows summary information, and allows you to open detailed information for each alert. You can filter
the list by supplier, severity, incident type, date range, location, and other criteria [page 85].
Note
SAP Ariba Supplier Risk gathers data, including articles, news reports, company information, and other third-
party content, from multiple public and private service providers. This data often includes either links to
third-party websites where the information is available or “inverse” links that bring the third-party data into SAP
Ariba Supplier Risk. SAP Ariba believes the sources of information to be reliable but has no control over any
aspect of these third-party sites, including accuracy, timeliness, products promoted, data collection policies, or
potential for distribution of computer viruses. SAP Ariba does not review content from third-party providers;
the information may contain errors and is provided to help with further research.
Alert Summaries
Alert summaries include the incident type, severity, risk category, the supplier's company name, location
information, an indicator for whether or not you've flagged the alert, the date of the last alert included in the
summary (Last update), whether the incident is positive or negative, and the number of alerts represented by the
summary (Count).
If a supplier has alerts for more than 1 incident type, those alerts are listed in separate lines on the list. You can see
all of a supplier's alerts by sorting the list by company name [page 88], or by filtering the list by company [page
85].
Incidents in the alert list are collapsed by default. You can expand an incident to see details about relevant articles
by clicking the right-facing arrow icon in the Details column for the desired incident. To collapse an expanded
incident, click its down-facing arrow icon in the Details column.
The Count column, and the Risk summary in the Details on the alert list include the number of times the incident
type is indicated for the current supplier. These could all refer to the same incident, or they could refer to multiple
incidents of the same type.
Alert Details
You view details of all of the alerts in an alert summary by clicking the right facing arrow under the Details
column.
If a new alert with the same incident type appears within 7 days of the most recent previous alert for a supplier, it's
added to the current alert summary. If more than 7 days go by and a new alert of the same incident type appears,
it's added to a new alert summary.
Related Information
SAP Ariba Supplier Risk monitors GDACS and sends alerts for natural disasters based on the event (earthquake,
flood, tropical cyclone), the location of the event, and the severity of the event.
While monitoring GDACS, SAP Ariba Supplier Risk identifies the impacted suppliers using geolocation. For
earthquakes, alerts are sent for any suppliers within 100 kilometers of the natural disaster. For floods and tropical
cyclones, a formula is used that involves the supplier's address and the event location.
GDACS natural disaster alerts appear in the Alert feed tile on the Supplier Risk dashboard and the alert list.
An email notification is sent at the time of the event to users following any impacted suppliers.
Tip
Adverse media monitoring is provided by default provider Semantic Visions, not GDACS.
Adverse media identifies risk incidents based on supplier activity reported in the news, not the geographic
location of the supplier.
Wild and forest fires are an example of a natural disaster event from adverse media monitoring, not GDACS.
If there's news from adverse media about a fire in a country/region and a supplier is mentioned in the article
related to the news, any user following that supplier receives an alert and/or an email notification in the 4:00
a.m. EST daily email notification.
For a detailed listing of the adverse media natural disaster incidents provided by Semantic Visions, filter the
risk alert incident types table [page 12] using the natural disaster incident type. The descriptions for the
Adverse media natural disaster alerts from Semantic Visions appear in the Alert feed tile on the Supplier Risk
dashboard and the alert list.
Adverse media uses the incident model for risk exposure calculation.
The natural disaster alerts from adverse media can be configured [page 91] like other adverse media incident
types.
Semantic Visions uses the address of the supplier that was provided when the supplier was imported into the
SAP Ariba Supplier Risk system. For enriched suppliers, adverse media uses the enriched legal name and the
Tradestyle names.
Note
Enriched corporate information is only available in the full SAP Ariba Supplier Risk solution.
Risk Exposure
Natural disasters from GDACS contribute to the supplier model for risk exposure calculation.
Natural disasters from GDACS are set as a contributing factor to risk exposure by default.
A Supplier Risk Manager user can choose to make GDACS natural disasters be a non-contributing factor to risk
exposure by removing the check mark for Natural disasters on the Data sources tab of the configuration editor.
For more information about the configuration editor, see Risk Exposure Configuration Interface.
If you make the GDACS events a non-contributing factor to risk exposure, the monitoring of natural disaster events
by GDACS will still continue. Users following suppliers who are affected by earthquakes, floods, or tropical cyclones
will continue to receive alerts in the Alert feed on the Supplier Risk dashboard, in the alert list, and by email
notification.
Natural disasters from GDACS are contributing factors to the operational category.
If the natural disaster alert impacts the supplier’s risk exposure, it appears in the supplier’s 360° profile on the Risk
exposure tab in the operational risk category.
GDACS natural disasters have a preset weight setting for the risk exposure. You can't change the weight setting.
The severity setting for GDACS alerts is provided by GDACS based on the severity of the natural disaster. You can’t
change the severity setting for GDACS alerts.
If a disaster keeps generating more alerts after the event, the system looks back on all of the alerts generated (reds
less than 15 days, oranges less than 7 days, and greens less than 2 days) and uses the highest severity of the alerts
for the risk exposure.
If a disaster lasts 2 weeks, for example a hurricane, you'll receive red alerts daily. Since the event is less than 15
days, the risk exposure never changes. The risk exposure will lower if the event falls outside of the time frame and
the severity in the table. If the red event still exists after 13 days and the disaster changes from red to orange, the
status will still be red because the highest exposure is used. As soon as the red alert is more than 15 days, the event
will be orange, if no other red events happen for the hurricane between the 13 and 15 days.
SAP Ariba Supplier Risk counts the number of eligible red, orange, and green severities by event type (earthquake,
flood, tropical cyclone). If a red, orange, or green event takes place in the time frame listed in the table above, it
counts towards the risk exposure as a single event. For example, if the supplier had a red event take place 10 days
ago, it counts as 1 event. If the supplier had an orange event take place 5 days ago, it counts as 1 event. If the
supplier had a green event 5 days ago, it doesn’t count as an event because it was more than 2 days ago. For that
supplier, the GDACS contribution would be 1+1+0 = 2 events. The event type (earthquake, flood, tropical cyclone)
doesn't affect the risk exposure, only the severity setting of red, orange, and green.
Notifications
Disaster alert notifications are sent within minutes of a natural disaster involving flood, earthquake, or tropical
cyclone, to users following suppliers in the affected country/region. These notifications are automatically sent and
users can’t choose to stop receiving them.
Note
Alert notifications aren't sent for low severity (green) natural disasters.
Alert notifications are based on the address of the supplier that was provided when the supplier was imported into
the SAP Ariba Supplier Risk system. The address must be their physical address for geolocation monitoring. Don’t
use a remit to address or a post office box address as it won’t provide accurate natural disaster information for the
supplier and the impact on the supply chain.
For enriched suppliers, the notifications are based on the address the supplier is enriched to for natural disaster
monitoring. For more information, see Imported Supplier Data and Risk Corporate Enrichment.
Note
Enriched corporate information is only available in the full SAP Ariba Supplier Risk solution.
Prerequisites
To access the alert list, click the Go to alerts link in the Alert feed tile on the Supplier Risk dashboard.
Context
The default filters on the alert list show all alerts updated in the last three months.
Procedure
The area expands to show search filters for the alert list.
2. Choose or enter filter values.
3. Click Search.
Results
The alert list now only shows the alerts that match your filter values. To restore the list to the default filters, click
Reset.
Related Information
Prerequisites
To access the alert list, click the Go to alerts link in the Alert feed tile on the Supplier Risk dashboard.
Context
When you've finished dealing with an alert, you can archive it so that it's no longer taking up space on your alert list.
Archiving an alert doesn't remove it from the supplier's risk exposure calculation.
Note
Risk alerts less than 60 days old are used in the supplier's risk exposure calculation. It doesn't matter if they're
in the alert list or the archive list. Once the alert is 60 days old, it's no longer included in the supplier's risk
exposure calculation.
Procedure
1. On the alert list, check the alerts that you want to archive.
2. Click Archive.
Results
The alert moves to the Archived alerts tab. To move archived alerts back to the alert list, in the Archived alerts
area, select them and click Unarchive.
Related Information
Prerequisites
To access the alert list, click the Go to alerts link in the Alert feed tile on the Supplier Risk dashboard.
Context
You share alerts at the summary level. For example, if an alert includes 5 alert details, the email you generate
includes all 5 of those links.
The email message that is automatically generated when you share alerts includes a default subject line, "<Your
user name> has shared following alert/s with you." You can edit this subject. You can also add comments, which
appear in the body of the email, above the alert links.
Procedure
Related Information
Prerequisites
To access the alert list, click the Go to alerts link in the Alert feed tile on the Supplier Risk dashboard.
Context
You flag alerts at the summary level. By default, alerts aren't flagged, and the flag icon ( ) to their left is black. If
the alert is flagged, the flag icon is red.
Procedure
1. On the alert list, perform one of the following actions to manage alert flags.
Related Information
Context
You can enter and report feedback for a specific risk incident (such as an adverse media incident that appears to be
questionable). Eligible incidents include all categories except Natural disaster. This feedback is then submitted to
the associated content provider(s) to influence how they capture/classify their risk events. Incidents reported for
feedback are marked with a green check mark, visible to users in your realm.
Note
Feedback that was reported to the Adverse media feedback center is removed when it's 2 years old.
You can report feedback from any of the following incident lists:
Natural disaster incidents can't be submitted for feedback or made inactive. These incidents won't have a
selection checkbox.
Follow these steps to report feedback for one or more adverse media risk incidents.
Procedure
1. Navigate to an alerts list on the alert page or the supplier 360° profile Risk incidents tab.
2. Click the checkbox for any incidents you want to report for feedback.
3. Click Report feedback.
4. In the dialog, you can choose a reason for your feedback by clicking its checkbox. You can also enter a short
text comment. When you're finished entering your reasons, click Confirm.
Results
Incidents that you submit for feedback are marked in your alerts list with a green check mark, and they appear on
the Adverse media feedback center.
Context
For each desired active supplier, a blue feed icon ( ) indicates that you're subscribed to risk alerts for the selected
incident type. A dark gray feed icon ( ) indicates that you're not.
You begin receiving alerts 24–48 hours from the date you start following a supplier.
Procedure
1. On the Supplier Risk dashboard, click the gear icon ( ) in the upper right, and then choose Customize
supplier alerts in the navigation area on the left.
2. In the incident type table, click an incident type.
3. Perform one of the following actions:
• To start getting alerts for the selected incident type for a supplier, check the box to the left of a supplier
with a dark gray feed icon ( ).
• To start getting alerts for the selected incident type for all listed suppliers, check the box in the column
header.
• To stop getting alerts for the selected incident type for an individual supplier, uncheck the box to the left of
a supplier with a blue feed icon ( ).
• To stop getting alerts for the selected incident type for all listed suppliers, uncheck the box in the column
header.
4. Click either Follow or Unfollow at the bottom of the page.
5. Click either Follow or Unfollow in the Confirm Update popup depending on the choice you made in the
previous step. You can also choose Cancel.
Context
Each incident type has a default severity level [page 12], and email notifications are enabled for High and Medium
incident types by default.
The severity settings provide alerts based on the specific setting of High, Medium, or Low. You'll only see the alerts
based on your alert settings.
Ignoring alerts for an incident type means that no alerts for this incident type appear on the Supplier Risk
dashboard or the alert list. They are in the Risk incidents in the supplier 360° profiles. If you want to see alerts
for an incident type for some suppliers but not others, you can also manage subscriptions to alerts for specific
suppliers [page 90].
If you change the alert severity settings, you see the alerts starting from the change date and going forward. Any
alert that was identified using the previous setting is still displayed at the alert severity setting that was configured
at the time the alert was reported. For example, if you receive incident alerts using a low severity setting and then
you change the severity to medium, you see both the low (previously reported) alerts and the new (as of the date of
change and going forward) medium alerts in the list of alerts. This is the only situation where you may see alerts for
the same supplier with different severity settings displayed in the user interface.
Procedure
1. On the Supplier Risk dashboard, click the gear icon ( ) in the upper right, then choose Configure alerts from
the navigation area on the left.
• To continue seeing alerts for an incident type, but adjust their severity level, choose High, Medium, or Low.
• To stop seeing alerts for an incident type, choose Ignore.
• To start or stop receiving email notifications for alerts about an incident type, check or uncheck Receive
email.
Note
Low severity alerts are not included in email notifications, but you can see them by clicking Go to alerts
in the Alert feed tile on the Supplier Risk dashboard.
Users automatically receive one daily email notification at 4:00 a.m. EST that summarizes the adverse
media alerts, licensed third-party provider evaluation updates, failure updates for third-party provider
Dun & Bradstreet licenses, and supplier compliance updates from the Risk Category Information API
for Supplier Risk Exposure, for suppliers they follow.
Related Information
Context
To receive email notifications for a positive incident type, follow these steps:
Procedure
1. On the Supplier Risk dashboard, click the gear icon ( ) in the upper right, then choose Configure alerts from
the navigation area on the left.
Note
• If the Receive email checkbox has previously been unchecked for one or more negative incident types,
you can turn email notifications back on by checking Receive email.
• Email notifications aren't sent for Low severity incident types. To receive email notifications for the
incident type, set its severity level to High or Medium by following the instructions in Configuring Risk
Incident Severity Levels and Email Notifications [page 91].
• Uncheck Receive email to turn off email notifications for an incident type.
• Incident types with an Ignore severity level aren't listed on theSupplier Risk dashboard or the alert
list, but they are in the Risk incidents in the supplier 360° profile. Check Receive email if you want to
receive email notifications for an incident type with an Ignore severity level.
Results
Users automatically receive one daily email notification at 4:00 a.m. EST that summarizes the adverse media
alerts, licensed third-party provider evaluation updates, failure updates for third-party provider Dun & Bradstreet
licenses, and supplier compliance updates from the Risk Category Information API for Supplier Risk Exposure, for
suppliers they follow.
Risk Incidents and Alert Trends in a Supplier’s 360° Profile [page 98]
Prerequisites
• The third-party provider must successfully complete the SAP Ariba certified partner program.
• Only active suppliers that aren't blocked for monitoring can be submitted for risk evaluation.
• Before you can submit a supplier to a provider for risk analysis, you must first obtain a license with that
provider and enter your licensing credentials in the SAP Ariba Supplier Risk self-licensing interface. View
Registering a Third-Party Provider License.
• Some providers might have additional requirements that must be completed on the supplier 360° profile
before risk evaluation can be requested. For example, a provider might require an external ID. The external ID
can be obtained from the provider. A user in the Supplier Risk Manager group can append the external ID to
the supplier 360° profile. View Appending External IDs to Supplier 360° Profiles for details.
• To submit suppliers for risk evaluation, you must be a member of the Supplier Risk Manager or Supplier Risk
User group.
• You must have registered a license with a third-party provider and submitted suppliers for evaluation to receive
evaluation update notifications.
Third-party provider evaluation update notifications include the suppliers that were submitted to your licensed
providers for evaluation. Suppliers submitted to the third-party provider appear in notifications if they have
evaluation updates. Third-party provider evaluation notifications are on by default and can't be turned off.
Follow these steps to submit one or more suppliers to a provider for risk evaluation.
Procedure
Note
• If your evaluation is from EcoVadis, you're prompted for additional information; fill out the dialog and click
OK.
Results
To check the status of your evaluation, click the Suppliers evaluated link on the main risk dashboard or open the
specific supplier 360° profile.
Tip
Dun & Bradstreet (D&B) doesn’t return information for the supplier if the confidence score is less than 8. You
may see an empty score and an empty Not enough info field if the supplier you submitted for evaluation with
D&B, has a confidence score less than 8. You can contact D&B support for this and all other issues regarding
D&B integration and errors.
When a supplier evaluation fails after submitting a supplier for a financial risk evaluation from Dun & Bradstreet
(D&B), the error message from D&B is shown on the Financial risk tab in the supplier 360° profile. D&B has several
Email notifications are automatically sent to the internal users who submit suppliers to Environmental & Social
third-party partners for risk analysis. Notifications are sent when suppliers are submitted for risk evaluation, when
supplier risk evaluation updates are received from the third-party provider, and when the supplier risk evaluation
submission fails. Only 1 email is sent per day and it includes all 3 types of notifications (submission, update, failure).
Users automatically receive one daily email notification at 4:00 a.m. EST that summarizes the adverse media
alerts, licensed third-party provider evaluation updates, failure updates for third-party provider Dun & Bradstreet
licenses, and supplier compliance updates from the Risk Category Information API for Supplier Risk Exposure, for
suppliers they follow.
Related Information
The Risk exposure tab allows you to quickly assess the supplier's current risk exposure and see exposure trends in
different risk categories. It also highlights the most recent contributing factors for each category's risk exposure.
Only custom fields that contribute to the risk exposure are shown on the Risk exposure tab. Non-contributing
custom fields aren't shown.
• The supplier's overall Risk exposure, which is highlighted at the top of the tab. The overall risk exposure
combines the exposure in different risk categories based on your company's priorities and is a number
between 1 and 100, with 100 being the riskiest and 1 the least risky.
• A line chart that displays risk exposure trends over time for each of the four risk categories. This chart provides
a quick visual indicator of whether a supplier's risk level has changed drastically in a short period of time, is
deteriorating or improving steadily, or is consistent. A dropdown menu allows you to filter the chart by risk
exposure data for the last 30, 90, or 180 days.
Tip
Dots on the chart lines represent category risk exposure data on specific dates. Hover your mouse over a
dot to see the exposure for each category on that date.
• Side-by-side columns that highlight key recent risk information in each category. The columns show:
• The current risk exposure for each category. Unlike the supplier's overall risk exposure, category risk
exposure can sometimes be 0 if there's no data for them, or if the data results in an exposure of 0. For
example, if the only data available for the Financial category is a count of 0 bankruptcies, the risk exposure
for that category is 0.
• Key contributing factors for each category's risk exposure. For example, the Regulatory & legal column
shows counts for liens and lawsuits; the Financial column shows UCC filing count; and so on.
• The most recent alerts for the category.
Tip
Click on a contributing factor link to see more detailed information about it.
• The Engagement Requests area. This area is only visible to users who have permission to create engagement
requests or work with risk assessment projects. If you have those permissions, you can view and manage the
risk assessments associated with the supplier [page 120] in that area.
Related Information
• An Incidents list that summarizes all of the supplier's risk incidents over the past 2 years. You can filter the
risk incidents to view all risk incidents, the last 30 days, the last 90 days, the last 180 days, or the feedback
reported. Each entry on the list is a summary of the individual incidents that occurred within a short time of
each other, and shows the number of detailed individual incidents it represents in parentheses. Click on any
summary incident to see its details. The Incidents list isn't based on your subscription settings, and shows all
incidents of all types for the supplier whether or not you're receiving alerts for them.
Note
When a risk incident becomes 2 years old, it's removed from the Risk incidents tab on the supplier's 360°
profile.
• An Alerts area, which shows the alerts you've received for the supplier if you're following it. The alert
information in this area is based on your subscription settings [page 90] and doesn't show alerts for incident
types you've opted not to receive. This area includes:
• A bar chart that shows alert trends by month, color-coded for severity level. This chart provides a quick
visual indicator letting you know if there's a sudden or gradual change to the number of alerts a supplier
is accumulating, and how severe they are. Click a color-coded area on a bar to see the number of alerts it
represents. You can then examine the alerts list to learn more about the trend.
• A summarized list of alerts by incident type, which you can expand or collapse by clicking the arrow to the
left of the Alerts label. The list is collapsed by default. In the list, you can click each incident type to see the
detailed list of alerts it represents, and click each alert to see the associated media article in full.
Note
SAP Ariba Supplier Risk gathers data, including articles, news reports, company information, and other third-
party content, from multiple public and private service providers. This data often includes either links to
third-party websites where the information is available or “inverse” links that bring the third-party data into SAP
Ariba Supplier Risk. SAP Ariba believes the sources of information to be reliable but has no control over any
aspect of these third-party sites, including accuracy, timeliness, products promoted, data collection policies, or
potential for distribution of computer viruses. SAP Ariba does not review content from third-party providers;
the information may contain errors and is provided to facilitate further research.
Related Information
Note
Enriched corporate information is only available in the full SAP Ariba Supplier Risk solution.
The information on this tab is enriched, meaning that SAP Ariba Supplier Risk matches the supplier to several
different sources of information to provide more detailed corporate information. This information is displayed in
three areas on the Enriched corporate info tab:
• General shows information about the supplier such as legal name and address, bankruptcy indicators, number
of employees, revenue, industry, and diversity indicators.
• Family Tree shows a chart of the supplier's corporate structure and legal name and address information for the
supplier's headquarters, domestic ultimate parent company, and global ultimate parent company. Hover over
any company in the family tree chart to see that company's state, city, and country/region.
• Country/Region profile shows World Economic Forum (WEF) rankings for the supplier's country/region in
categories such as market size, infrastructure, market efficiency, and technological readiness. You can click the
links at the bottom of this area to view the reports on which the rankings are based.
Note
The WEF information is updated annually and represents information collected from the previous year.
Note
There won't be any WEF rankings for the supplier's country/region if the parameter to remove WEF
country/region risk [page 391] has been enabled.
To see when the information on this tab was last updated, click the Enrichment History link. If a supplier
couldn't be matched to enriched corporate information, the Enriched corporate information tab shows little to no
information and the enrichment history indicates that the supplier hasn't been enriched.
Note
SAP Ariba Supplier Risk gathers data, including articles, news reports, company information, and other third-
party content, from multiple public and private service providers. This data often includes either links to
third-party websites where the information is available or “inverse” links that bring the third-party data into SAP
Ariba Supplier Risk. SAP Ariba believes the sources of information to be reliable but has no control over any
aspect of these third-party sites, including accuracy, timeliness, products promoted, data collection policies, or
potential for distribution of computer viruses. SAP Ariba does not review content from third-party providers;
the information may contain errors and is provided to facilitate further research.
Tip
Dun & Bradstreet (D&B) doesn’t return information for the supplier if the confidence score is less than 8. You
could see an empty score and an empty Not enough info field if the supplier you submitted for evaluation with
D&B, has a confidence score less than 8. You can contact D&B support for this and all other issues regarding
D&B integration and errors.
Users automatically receive one daily email notification at 4:00 a.m. EST that summarizes the adverse media
alerts, licensed third-party provider evaluation updates, failure updates for third-party provider Dun & Bradstreet
licenses, and supplier compliance updates from the Risk Category Information API for Supplier Risk Exposure, for
suppliers they follow.
The supplier level details are included in the supplier's risk profile PDF export and the Licensed Provider Summary
report.
The data elements that contribute to the risk exposure and appear on the Risk exposure tab of the supplier 360°
profile influence the risk exposure until you change those data elements in the configuration editor, or disable D&B
as a third-party licensed provider.
With the D&B licensed provider integration, D&B continues to monitor a supplier once the supplier is submitted for
evaluation until your contract with D&B expires. The D&B information about the supplier is automatically updated
in the supplier profile.
Note
When the third-party provider license with Dun & Bradstreet expires, the authorization check fails and an error
message from D&B is shown on the Dun & Bradstreet page in the Content and service providers area on the
Supplier risk administration page. After the license credentials have been updated, D&B begins monitoring
the supplier again.
Note
SAP Ariba Supplier Risk doesn't delete financial data. It's always displayed in the supplier 360° profile.
However, after 180 days it disappears from the graph on the financial tab in the supplier's 360° profile.
The table on the right side of the graph is still displayed.
When a supplier evaluation fails after submitting a supplier for a financial risk evaluation from Dun &
Bradstreet, the error message from D&B is shown at the top of the Financial risk tab in the supplier 360°
profile. D&B has several error messages and the message will depend on the error. When the supplier
information is updated, you can resubmit the supplier for evaluation.
Note
The sanction and watchlist information on this tab comes from the Risk Category Information API for Supplier
Risk Exposure.
Users automatically receive one daily email notification at 4:00 a.m. EST that summarizes the adverse media
alerts, licensed third-party provider evaluation updates, failure updates for third-party provider Dun & Bradstreet
licenses, and supplier compliance updates from the Risk Category Information API for Supplier Risk Exposure, for
suppliers they follow.
• Sanctions and Watchlists tells you if a sanction or watchlist was found for the supplier. The status can be one
of the following:
• Violation found means the supplier was screened and a sanction or watchlist violation was found. This
status impacts risk exposure with High weight.
Note
By default, the risk exposure override is set to Overall risk exposure for Sanction and Watchlist, and
the weight is set to High. If the supplier has a sanction or watchlist violation, the risk exposure, and the
regulatory and legal risk category are set to 100 on the supplier's Risk exposure tab in the supplier's
360° profile.
• Violation not found means the supplier was screened but no violation was found. There’s no impact to risk
exposure.
• Violation expired means the violation no longer exists. The risk exposure should no longer be impacted by
the violation.
• Not screened means your organization hasn't screened the supplier for compliance violations. There’s no
impact to risk exposure.
• Screened At is the date the supplier was checked for compliance data.
Evidence
• Provider is the name of the provider of the compliance data for the supplier. Your provider can have evidence
data from multiple sources.
• Source is the origin of the evidence about the supplier. An example is when there are multiple articles
supporting the evidence about the supplier, only the most relevant source is shown. You can use the
information in the source to find articles from other sources.
• Indicator is the compliance violation. An example is sanction or watchlist.
• Penalty amount is the currency amount of any penalty applied to the supplier for the violation.
• Start Date is the date the compliance violation started.
• End Date is the date the compliance violation ended.
Related Information
To access the Engagement requests tab of the supplier 360°, you must belong to one of the following user groups:
• Overall inherent risk and Overall residual risk for the supplier, if your site is configured to calculate them.
These ratings can change each time the inherent or residual risk for an engagement changes, or when an
engagement is canceled or archived, because engagements are the source of the overall supplier values. The
Last Updated date next to each rating indicates how recently such a change occurred.
• Engagement requests shows a list of the active (not canceled or archived) engagements for this supplier.
• Risk controls shows a list of shared (vendor- or service-level) risk controls required by engagements for this
supplier.
• Issues shows a list of issues associated with engagements or controls for this supplier.
Related Information
All custom data for the supplier is displayed on the Custom data tab.
The custom fields can have URLs, notes, and sources as optional additional information.
The custom fields can be configured to contribute to the risk exposure for the chosen risk category, or leave them
as information only without contributing to the risk exposure.
If the custom field value has been configured with weight for risk exposure, it's displayed in the supplier's 360°
profile on the Risk exposure tab. Custom fields that don't contribute to the risk exposure aren't displayed on the
Risk exposure tab. Custom fields that don't contribute to the risk exposure are displayed on the Custom data tab.
Note
All fields must be mapped in the configuration editor to be included in the risk exposure calculation for the
supplier. Any eligible field with missing configuration is ignored and doesn't contribute to the risk exposure.
• Risk category lists the custom fields that have been mapped to that risk category for the supplier.
• Risk exposure is the exposure for all contributing factors, including the custom fields, in that risk category.
• The Name of the custom field. This name is the same as the Display name in the Field configurations tab of the
configuration editor.
• The Value that is allowed for the type of custom field such as URL, free text, date, numeric, and text. If the
value has been configured with weight for risk exposure, it's displayed in the supplier's 360° profile on the Risk
exposure tab.
• Update date is the date the custom field information was last updated.
• URL is a link used as data for the custom field value.
• Notes are free text used as data for the custom field value.
• Source is the provider of the data used for the custom field value.
• Contributing has a green check mark if the custom field is contributing to the supplier's risk exposure. You can
view the custom field in the supplier's 360° profile on the Risk exposure tab. A red X means the custom field
isn't contributing to the supplier's risk exposure and the field is informational only.
Context
The supplier risk profile PDF contains information from all of the tabs and areas in the Risk tile of the supplier 360°
profile.
1. On the supplier's 360° profile, if you aren't already in the Risk area, click Risk in the navigation bar.
2. Click the Risk exposure tab.
3. In the top right area of the tab, click Export Risk Profile.
4. Save the exported PDF file to the location of your choice.
Related Information
Suppliers that are inactive in SAP Ariba Supplier Management solutions no longer appear in the list of followed
suppliers or on the map view, and they don't generate alert notifications on the dashboard, map view, or supplier
list. These suppliers are no longer eligible for submission to a third-party provider for risk evaluation, and they
aren't considered in risk exposure calculations from contributing factors.
You can choose to display active suppliers or inactive suppliers by selecting from a dropdown in the supplier list
page Filters section. When active suppliers are displayed, this dropdown is labeled Active suppliers; when inactive
suppliers are displayed, it's labeled Inactive suppliers. By default active suppliers are displayed.
About the Basic Approval Workflow for Control-Based Engagement Risk Assessment Projects [page 114]
The Issue Management Process for Risk Controls and Control-Based Engagement Risk Assessment Projects
[page 117]
Viewing and Managing Control-Based Engagement Risk Assessment Projects [page 120]
About requesters, project owners, and members of the Project Owner and Change Request Owners project
teams [page 133]
About Residual Risk for Control-Based Engagement Risk Assessments [page 136]
About Inherent Risk in Control-Based Engagement Risk Assessment Projects [page 138]
About Inherent Risk (Commodity) for Control-Based Engagement Risk Assessment Projects [page 139]
Requesting a New Engagement and Starting a Control-Based Risk Assessment [page 140]
Creating a New Engagement Request Triggered by a Non-Catalog Purchase Requisition [page 144]
How to Upgrade an Engagement Project to the Latest Template Version [page 148]
How to Change the Project Owner on the Engagement Page of a Control-Based Engagement Risk Assessment
Project [page 150]
How to Manage Team Membership of the Project Owner Group in a Control-Based Engagement Risk
Assessment Project [page 152]
Viewing and Managing Your Tasks for an Engagement Risk Assessment Project [page 154]
How to Manage Team Membership of the Change Request Owners Project Group [page 156]
How to Add Approvers for a Control-Based Engagement Request or Engagement Risk Assessment Project
[page 158]
How to Approve or Deny a Request for a Control-Based Engagement Risk Assessment [page 159]
How to Change the Supplier Contact on the Engagement Page (Simple Workflow) [page 161]
How to Edit an Engagement Request for a Control-Based Engagement Risk Assessment (Simple Workflow)
[page 162]
How to Edit an Engagement Request for a Control-Based Engagement Risk Assessment (Advanced Workflow)
[page 163]
About Editing a Previously Submitted Engagement Request (Advanced Editing Only) [page 165]
About Working with an Engagement While Updates Are in Process [page 169]
Canceling an Engagement Request for a Control-Based Engagement Risk Assessment (Advanced Workflow)
[page 175]
Sending Assessment Questionnaires for a Control-Based Engagement Risk Assessment Project (Simple
Workflow) [page 177]
Sending Assessment Questionnaires for a Control-Based Engagement Risk Assessment Project (Advanced
Workflow) [page 180]
How to Complete an Internal Assessment for a Control-Based Engagement Risk Assessment Project [page 184]
Requesting an Update or Changing the Recipient for a Modular Questionnaire [page 185]
How to Approve or Deny an Internal Assessment Questionnaire for a Control-Based Engagement Risk
Assessment Project [page 187]
How to Assign or Reassign a Control Review or Questionnaire To Do Task for an Engagement [page 188]
How to Fill Out and Submit a Supplemental Engagement Questionnaire [page 191]
How to Raise an Issue for a Control-Based Engagement Risk Assessment or One of Its Risk Controls [page 194]
How to Define, Analyze, or Resolve an Issue for a Control-Based Engagement Risk Assessment [page 196]
How to Manage Team Membership of the Assignee Project Group in an Issue Management Project [page 199]
How to Add Approvers or Reviewers for an Issue in a Control-Based Engagement Risk Assessment Project
[page 201]
How to Change the Residual Risk of a Control-Based Engagement Risk Assessment Project [page 202]
How to Approve or Deny a Control-Based Engagement Risk Assessment Project [page 204]
How to Cancel the Post-Project Approval Phase of a Control-Based Engagement Risk Assessment Project
[page 249]
Topics About Processing a Periodic or Ad Hoc Review for an Engagement [page 250]
How to Archive a Control-Based Engagement Risk Assessment Project (Simple Workflow) [page 262]
How to Archive a Control-Based Engagement Risk Assessment Project (Advanced Workflow) [page 263]
How to Cancel Archiving of a Control-Based Engagement Risk Assessment Project [page 265]
Copying a Control-Based Engagement Risk Assessment Project to Create a New Engagement Request [page
266]
Analytical Reporting for Control-Based Engagement Risk Assessment Projects [page 275]
Note
Behavior concerning review of risk controls depends on your site's configuration for levels of
risk control effectiveness: the value of parameter Expanded levels of risk control effectiveness
(Application.SR.Engagement.ExpandedLevelsOfRiskControlEffectiveness), introduced with
optional feature ARI-9766.
• If No, risk control decisions can be Effective or Ineffective, so an effective risk control is one for which the
review decision is Effective.
• If Yes, there are five possible levels, ranging from Completely effective to Completely ineffective. In
this case, an ineffective control is one with a review decision of Completely ineffective. A risk control is
considered to be at least somewhat effective if the review decision is any of the other four values.
The commodities, regions, and departments involved in an engagement help determine its applicable controls.
Depending on your organization's setup, the engagement's materiality, criticality, and potential for outsourcing
might also play a part in determining its applicable controls. Controls can be relatively general (for example,
a control for IT engagements in all regions for all departments) or specific (for example, a control for critical
IT engagements in Germany that involve the IT department and require physical access to a data center). In
control-based engagement risk assessment projects, controls include several important components that drive the
risk assessment process:
• Required assessments: Controls always include at least one questionnaire that is designed to assess whether
or not the potential risk is manageable or acceptable. One control can include multiple questionnaires;
conversely, multiple controls can use one questionnaire. For example, your organization might have different
controls for HR services in different regions. Each control might include the same general questionnaire to
assess adherence to your general HR standards and practices, and different questionnaires for each region to
assess compliance with local regulations.
• Control effectiveness reviews: Controls require review by a designated decision maker. During the review,
the decision maker reviews the answers to the associated assessment questionnaires and evaluates the
effectiveness of the control. Decision makers are assigned to specific controls and have the domain expertise
necessary to render these judgments.
• Requirements for new control reviews based on control types: Each control has a type that determines how
frequently, and in what circumstances, it requires review in a specific engagement risk assessment project
where a specific supplier is selected. These types allow your organization to maintain strict controls for some
kinds of engagements and looser controls for others, and to fast-track suppliers that already have one or more
effective controls in new engagements with similar characteristics. The three types of controls are:
• Vendor-level: a control that applies generally to a supplier. If a decision maker marks a vendor control
as effective for a supplier, it continues to be effective for that supplier in subsequent engagement risk
assessment projects without additional review. A decision maker only needs to re-review a vendor control
for the same supplier if it was previously marked effective but the control review decision or one of its
underlying questionnaires is expiring or has expired.
• Engagement-level: a control that applies to a specific, individual engagement. A decision maker always
reviews an engagement-level control in every engagement risk assessment project.
Tip
Decision makers might also be able to review controls using the Controls tile (all controls under
their responsibility) or the Action queue (the subset currently requiring review due to engagement
activity or control review expiration). These options are available in sites where the parameters
Enable control review workflow (Application.SR.Engagement.EnableControlReviewWorkflow)
and Enable action queue (Application.SR.Engagement.EnableActionQueue) are set to Yes.
Expiration of control review decisions for shared (engagement- or vendor-level) controls depends on whether
the Enable control review workflow parameter is enabled in your site.
• Enable control review workflow set to No: A review decision for a shared control requires re-review when
one of its underlying assessments is expiring or has expired.
• Enable control review workflow set to Yes: The expiration date for a control review decision defaults to the
earliest expiration date amongst its underlying assessments. A decision maker for the control can also set
the decision's expiration date manually.
If your site is set up to support engagement risk assessment projects with no supplier selected, all applicable
controls require a new review in each engagement risk assessment project that does not specify a supplier
regardless of the control type.
Related Information
A control-based engagement risk assessment has no controls when the engagement request business details or
answers to the inherent risk screening questions don't require controls.
The basic approval workflow starts with an engagement request that has no controls. The engagement request is
flagged in the system to use the basic approval workflow, which requires only the Request Approval phase. After
completing the Request Approval phase, the engagement request moves immediately to Completed status.
If you use the basic approval workflow, only Copy and Archive are available in the Action menu on the engagement
page after the engagement reaches completed status. Any other template configured post-project approval tasks
aren't available for basic approval engagements.
See Require only basic approval for engagement projects with no controls [page 398] for more information on the
basic approval workflow.
Some engagements might not need a risk assessment. Others, such as consulting engagements that involve
access to confidential information or company networks or facilities, or outsourcing engagements that involve
goods and services that are critical to your organization's operations, might require stringent risk assessments.
1. Requesting the engagement and identifying the applicable risk controls: A user in your company who
wants to engage with a supplier or other third party creates an engagement request. The engagement request
includes the following four steps:
1. Business Details, where the requester fills out a business details questionnaire to provide basic
information such as the request title and the commodities, regions, and departments involved. The
business details questionnaire might also include questions about the criticality, materiality, or outsourcing
impact of the engagement.
2. Inherent Risk Screening, where the requester fills out a screening questionnaire that determines which
risk controls and assessment questionnaires are required for assessing the engagement's risk. The
answers to questions in the business details questionnaire determine some of the questions included
in the inherent risk screening, and the answers to those conditional questions in the inherent risk screening
determine the required risk controls.
Depending on how your organization's engagement risk assessment process is set up, some of these stages may
also include supplemental engagement questionnaires. These questionnaires are not the same as assessment
questionnaires and are not sent at the same time. Instead, task owners fill them out either as part of the
engagement risk assessment workflow or at any time before the engagement is completed, depending on how they
are set up. Supplemental engagement questionnaires typically gather information that is not directly associated
with control reviews. For example, they may track compliance, report on or monitor aspects of the engagement, or
confirm that someone has performed a required task outside of the engagement risk assessment project.
At any time between when the request is submitted and the engagement is completed or canceled, the requester
and governance experts can create issues or findings to highlight potential problems or concerns with the
engagement as a whole, and control decision makers can raise issues or findings associated with specific controls.
Various stakeholders then complete tasks and add comments to track and resolve those concerns.
In solutions that include SAP Ariba Sourcing or SAP Ariba Contracts, a sourcing or contract project can be made a
follow-on project from the engagement risk assessment, linking the projects together.
• The content in the engagement request business details and inherent risk screening questionnaires, including
which inherent risk screening questions trigger specific controls and whether the inherent risk screening
questionnaire generates an inherent risk rating.
• Who is responsible for sending control-based risk assessments.
• Who is responsible for approving the engagement request and approving the overall engagement.
• Whether or not there are other tasks in the workflow, such as To Do tasks related to business details or review
tasks, and who is responsible for completing them.
• Whether or not the engagement includes supplemental questionnaires and whether or not those
questionnaires require approval.
• The process for modifying completed engagement requests, using the change request workflow.
• The process for archiving engagement projects in sites that use the advanced archiving workflow.
Each engagement-level risk assessment questionnaire also has its own project template, which defines:
• Whether the questionnaire is internal or external and, for internal questionnaires, its recipients.
• The content of the questionnaire.
• Whether or not the questionnaire can expire and, if so, its expiration schedule.
Related Information
Requesting a New Engagement and Starting a Control-Based Risk Assessment [page 140]
How to Approve or Deny a Request for a Control-Based Engagement Risk Assessment [page 159]
Sending Assessment Questionnaires for a Control-Based Engagement Risk Assessment Project (Simple Workflow)
[page 177]
Setting Up Control Review Workflow
How to Review a Pending Control for Effectiveness Using the Control Review Page [page 228]
How to Review a Pending Control for Effectiveness Using the Control Details Page (Two Levels) [page 215]
Skipping an Assessment Response [page 222]
How to Skip a Control Review [page 225]
How to Approve or Deny a Control-Based Engagement Risk Assessment Project [page 204]
Control-Based Engagement Risk Assessment Status Flow [page 267]
Adding Periodic and Ad Hoc Review to the Engagement Workflow
Setting Up a Modular Questionnaire to Import Supplier Responses from the Human Rights Assessment on SAP
Business Network
Setting Up a Modular Questionnaire to Import Supplier Responses from an External System
Creating and Managing Findings [page 303]
Creating a New Engagement Request Triggered by a Non-Catalog Purchase Requisition [page 144]
Linking an Existing Engagement Request to a Non-Catalog Purchase Requisition [page 146]
Engagement risk assessment project stakeholders can raise issues for the overall risk assessment project. Control
decision makers can raise issues for specific controls during a control review. For example, a request approver who
is concerned that the required controls may not address a potential additional risk can approve the request but
raise an issue. Or during control review, a control decision maker might raise an issue to clarify some aspect of
the control's potential effectiveness. Issues created for vendor- and service-level controls, and their residual risk
ratings, are also automatically included in all engagement risk assessment projects that require the control and
that include the same supplier (for vendor-level controls) or commodities (for service-level controls). That way,
control decision makers have visibility into the issues that shaped previous decisions about control effectiveness in
similar engagements.
The residual risk rating of the engagement may in turn be defined as:
• The highest residual risk of any issue created for the current engagement or for any risk control required for the
current engagement
• (If calculating residual risk by risk domain, using the Issues method) The highest residual risk of any issue
associated with any risk control required for the current engagement
Note
If your site is set up to calculate residual risk by risk domain, but using the Control Effectiveness method, then
residual risk for issues is not used to determine the overall engagement residual risk.
The issue management process provides an automatic and auditable process for collecting all of the pertinent
information about an issue and involving relevant experts in its analysis and resolution. It includes five stages:
1. Issue creation: a user becomes aware that there is a potential issue with a proposed engagement while the
control-based engagement risk assessment project in progress, either for the engagement in general or for one
of its required controls, and creates an issue in Draft status. The user who creates the issue might fill out most
or all of the information for it, including specifying assignee, or might leave most of the issue's fields blank at
this time. The Comments area is not yet available during issue creation.
2. Issue definition: the issue assignee (if there is one at this point) and owners of various issue definition tasks
edit the issue to provide more detailed information, add comments, and complete their assigned tasks.
The Issue definition phase ends when a user completes its final task. The issue status then moves from Draft
to Open.
3. Issue analysis: the assignee (if there is one at this point) and owners of various issue analysis tasks review
the issue details, edit the issue to update or add information if necessary, add comments, and complete
their assigned tasks. They might or might not propose resolutions at this stage. If the issue has not yet been
assigned, they also specify a user who can resolve the issue as the assignee at this point.
The Issue analysis phase ends when a user completes its final task. The issue status then moves from Open to
In Progress.
4. Issue resolution: the assignee and owners of various issue resolution tasks review the issue information, edit it
to propose or finalize its resolution, and complete their assigned tasks. If all of the information in the issue form
has not yet been filled out by now, it is added and finalized at this point, including the final issue severity and
probability.
The Issue resolution phase ends when a user completes its final task. The issue status then moves from In
Progress to Resolved.
5. Issue resolution acceptance: task owners complete any other assigned asks related to issue resolution
acceptance, and the approvers assigned to the issue review the resolution and finally approve or deny it.
• If the issue resolution is approved, the issue moves from Resolved to Completed status.
• If the issue resolution is denied, the issue moves from Resolved to Request Denied status. In this case,
issue assignees can rework and then resubmit the resolution.
If the issue assignee team management feature is enabled and set up in your site and your issue management
projects include an assignee project group, at any point between when the issue is created and when it is resolved,
users with the appropriate permissions can add assignees to the issue from the issue page.
If the site configuration parameter Enable assignee team management on issue projects
(Application.SR.IssueManagement.ManageIssueAssigneeTeam) is disabled, the Manage team button
is not available in the upper right corner of the issue page. This means the assignee team can't be managed on
the issue page.
Note
Members of the Project Owner project group in the issue management project and members of the
Supplier Risk Engagement Governance Analyst global user group have permission to edit an issue. If issue
management projects in your site include an assignee project group, members of that group can also edit an
issue. If your site uses role-based access control in the issue form, members of these groups can only edit
those sections of the issue form to which they have access. Neither task ownership nor access privileges by
themselves grant permission to edit an issue.
Related Information
• Viewing and tracking engagement risk assessment projects on the Supplier Risk dashboard and in supplier
360° profiles [page 120]
• Using the engagement page [page 122]
Note
Your ability to view and complete tasks for individual control-based engagement risk assessment projects is
determined by your global user group membership and your assignment to tasks in specific engagement risk
assessment projects.
Viewing and Tracking Engagement Risk Assessment Projects on the Supplier Risk Dashboard
and in Supplier 360° Profiles
The Engagement requests page, which you access by clicking the Engagement requests tile on the Supplier Risk
dashboard, shows all of the engagement risk assessment projects you have permission to see. The Engagement
requests tab of an individual supplier 360° profile shows engagement risk assessment projects for that supplier
along with their associated issues, findings, and risk controls.
The Engagement requests page includes three tabs, which allow you to view or manage engagement risk
assessment projects at various stages:
• Edit and save or submit your draft engagement requests on the New requests tab, which shows
engagement requests that you have created and saved but not submitted (in Draft status). Click the
engagement request name to open your draft, finish it, and submit it.
• Track and manage engagement risk assessment projects that are in progress on the In progress tab:
• View or approve submitted engagement requests: Click the name of an engagement risk assessment
project with Submitted status to view its details on the engagement page. If you are an approver, you can
approve or deny a request here [page 159].
• Edit or cancel engagement requests:
• If your site uses the advanced editing feature, you can edit or cancel engagement requests at any time
before final approval. Click the name of an engagement risk assessment project to edit [page 163] or
cancel [page 175] it. If the status of the engagement request is In Edit, only the user who originated
the edit can continue the editing process; in this case, the engagement page shows the name of the
editing user.
You can sort some columns, such as Name, by clicking the column name. You can filter other columns, such as
Status, by clicking the filter icon ( ) in the column header, then choosing the filter values.
Note
If the feature for engagement list page enhancements (ARI-15401) is enabled in your site, filter and sort are at
the top of the engagement list page, not on the column headers.
Tip
To remove the autofill history in the Filters for engagement requests popup, clear your browser’s cache.
To export the list of risk assessment projects on any of the tiles in the Engagement requests area to a Microsoft
Excel file, click the download icon ( ). The exported file includes the list of risk assessment projects on the tile
based on current filters and sorting.
Once a requester has submitted a control-based engagement request, you can click its name to open the
engagement page and see engagement details if you are:
• The requester.
• The project owner.
• A member of the Project Owner project group or, for an engagement with a change request in progress, the
Change Request Owners project group.
• A member of the Supplier Risk Engagement Analyst or Supplier Risk Engagement Governance Analyst
group.
• An approver, reviewer, or task owner for one of its tasks.
Tip
Residual risk for an engagement is calculated or re-calculated when it moves to Completed status,
when a change request or review is completed, or in response to changes in the underlying factors
(issues, findings, inherent risk, or control effectiveness) that influence the residual risk evaluation. If
the update processing wasn't quite as fast as the redisplay of the engagement page, you might still see
the prior residual risk value. In this case, you can use the Refresh status link at the top of the Tasks
section to refresh the page and show the newer residual risk value.
• For a completed engagement for which there has been change request activity, this section includes a link
to the engagement history [page 130].
• Supplier: basic information about the engagement supplier, including name and email address of the primary
supplier contact, if a supplier is selected. You can click the supplier's name to open their 360° profile.
• Engagement risk by risk domain: a list of the risk domains assigned to sections of the inherent risk screening
questionnaire, with the calculated inherent risk for each. This section displays only in sites configured to
calculate inherent risk by risk domain.
• The Residual risk and Contributing risk controls columns display here if at least one of the two domain-
based residual risk methods is enabled.
• Hover over a value in the Contributing risk controls column to display a tooltip showing a list of the
controls contributing to the residual risk rating for that risk domain, with the residual risk value for each.
From there you can click on a control name to navigate to its control details page.
• Approval flow: a graph that shows the five general steps of the engagement risk assessment process with
separate nodes for each assessment questionnaire task and control review task required by the current
engagement risk assessment project.
• Tasks: a table where you can view the tasks for the engagement risk assessment project, and where task
owners and approvers can complete their assigned tasks, including control review tasks. You can view task
details from here.
• Risk Controls: a table where you can view detailed information about all of the engagement's required controls.
You can view the control name, type, and owner; the associated assessments; the control review status; the
review decision, if there is one, for a vendor- or engagement-level risk control; the assignee (control decision
maker); and, for completed control reviews, the completed date. Control decision makers can review their
assigned controls here.
• Risk Assessments: a table where you can view the assessment questionnaires required for the current
engagement project, for which evidence needs to be (Pending tab) or has already been (Completed tab)
Related Information
The Action queue page allows users to access their open approvals, To Do tasks, and other actions for control-
based risk assessment projects. The Actions tile on the Supplier Risk dashboard shows the number of open
approvals, To Do tasks, and other actions.
If the action queue for engagement projects feature (ARI-9396) is enabled in your site, you’ll find the Actions tile on
the Supplier Risk dashboard. The tile takes you to the Action queue page.
Note
The Actions tile is only visible on your Supplier Risk dashboard when you have open approvals, To Do tasks,
and other actions for engagement projects that you're assigned to either as an individual or as a member of a
project group.
If any approvals, To Do tasks, or actions need immediate attention, determined by due dates or expiration dates,
the number of these actions appear at the bottom of the Actions tile in an orange color. They also show on the
Action queue page with the status Due soon in an orange color and Overdue in a red color.
The Action queue page shows the open approvals, To Do tasks, and other actions for engagement projects the user
is assigned to either as an individual or as a member of a project group.
Users click the linked name to complete the action rather than going to individual engagement projects or looking
for email notifications.
Actions The name of the To Do task, approval, or other action, and the
action type. For example, To Do for my document 1, To Do task
| Engagement request: WS12345.
Note
In progress is only used for engagement request periodic
reviews. You can find the In progress status if you select
Created date The date the document that needs to be acted on was created.
Due date The date the document that needs to be acted on is due.
Approval tasks: Engagement re- When the task is When the task is The task due date The actions that
available for appro- approved. configured on the need attention, as
• Engagement quest approval task
val. project template indicated on the
request appro- takes you to the
for the engage- Actions tile, are ei-
val task task details page. ment, assessment, ther overdue or due
• Assessment or issue. soon.
questionnaire Assessment ques-
approval task tionnaire approval The action shows
• Issue approval task takes you to as Due soon when
task the task details it's within 7 days of
page. the due date.
Assessment ques- Engagement inter- When the assess- When a response to By default, 7 days
tionnaire ments are sent, the modular ques-
nal modular ques- from when the as-
or reopened for re- tionnaire is submit-
tionnaire takes you sessment is sent,
sponse or request ted and the assess-
to the engagement for edit. ment is pending ap- or reopened for re-
page. proval. sponse or request
for edit.
Any other internal
modular question- An authorized user
naire takes you to can customize this
the questionnaire number of days
details page. using the Days
till due date
for assessment
questionnaire and
control review
actions setting
on the Control
review tab of the
Configure periodic
reviews page in the
settings ( ) area.
Control review The action name When the assess- When the control is By default, 7 days
link takes you to ment is sent. reviewed.
from when the
the control details
assessment is ap-
page.
proved and the
control is opened
for review, or avail-
able for review, or
similar.
An authorized user
can customize this
number of days
using the Days
till due date
for assessment
questionnaire and
control review
actions setting
on the Control
review tab of the
Configure periodic
reviews page in the
settings ( ) area.
Control review expi- The action name The control expira- When the control is The number of
ration link takes you to reopened or a new days in the
tion date plus the
the control details expiration date is Control review
number of days in
page. set. configuration
the Control review found at
configuration.
Supplier
When the control risk administration
Engagement The action name When the engage- When the template The due date set
project upgrade link takes you to the ment project is upgrade is com- in the Additional
engagement page made available for plete for the en- settings for
where you can see upgrade. gagement project. template upgrade
the engagement popup when the en-
details. gagement project is
made available for
upgrade.
Engagement re- The action name When the engage- When the periodic The configured
quest periodic re- link takes you to the ment request is el- review on the en- Date to complete
view engagement page. igible for periodic gagement request the review found
review. is completed. at Supplier
risk administration
Configure
periodic reviews
on the
Engagements tab.
To Do tasks: Engagement re- When the task is When the task is The task due date
active and can be completed. configured on the
• Engagement quest To Do task for
started. project template
request To Do an assessment task
for the engage-
task takes you to the ment, assessment,
• Assessment engagement page. or issue.
questionnaire Any other engage-
To Do task
ment To Do task
• Issue To Do
takes you to the
task
task details page.
Assessment ques-
tionnaire To Do task
takes you to the
task details page.
Issue To Do task
takes you to the
task details page.
Related Information
Viewing and Managing Your Tasks for an Engagement Risk Assessment Project [page 154]
Setting Up Control Review Workflow
Prerequisites
• You must have view permission for the engagement via your group membership or role in the project. Users
with this permission include:
• The user who created a review or change request currently in progress
• Members of the Project Owner project group
• Members of the Change Request Owners project group
• Members of the Supplier Risk Engagement Governance Analyst group
• The engagement must have at least one post-completion activity. These activities include
• Change request
• Periodic or ad hoc review
• Template upgrade
• The activity may be in progress, completed, or canceled. If you revert a draft change request or a draft review,
these activities are not recorded in the engagement history.
Context
The Engagement history page shows the history of an engagement, from the version that first received final
approval through the current state. It shows all change requests and periodic or ad hoc reviews processed beyond
draft status, and any skipped periodic reviews.
Procedure
Results
The Engagement History page shows activity for this engagement. By default, all activity is listed in reverse
chronological order. Activities listed include:
Note
If you revert a draft review or change request, that activity no longer appears in the engagement history.
• Submitted (in progress) change request or review. If you cancel a submitted review or change request, it
remains in the history with a status indicating it was canceled.
• Completed change request or review
• Skipped periodic review
• Template upgrade
From here you can click on the Activity date text to see the history record for that activity, or use the checkboxes at
left to choose rows for comparison.
Related Information
Choose two rows in the engagement history to display a page illustrating the differences between them. Choose
one row to compare it to the current live version.
Prerequisites
The Engagement history link must be available for the engagement project. See the Prerequisites listed in Viewing
Engagement History [page 130].
The Engagement history page shows change request and review activity for an engagement project, from the
version that first received final approval through the current state.
From here you can use the checkboxes at left to choose two rows for comparison, or choose one row to compare it
to the current live version.
Procedure
Results
The comparison appears below the list of engagement project activities. Rows where the two versions differ are
highlighted.
• The Business details section shows the list of business details questions, with Older (row representing earlier
version or activity) and Newer (row representing more recent version or activity) responses.
• The Inherent risk screening section shows the list of inherent risk screening questions, with Older (row
representing earlier version or activity) and Newer (row representing more recent version or activity)
responses.
• The Tasks section shows all tasks for the engagement. Columns for Older status and Newer status indicate
the status of each task for the two versions of the engagement.
• The Risk controls section shows summary information for all controls for the engagement. Columns for Older
status and Newer status indicate the status of each control for the two versions of the engagement.
• The Risk assessments section shows summary information for all assessments for the engagement. Columns
for Older status and Newer status indicate the status of each control for the two versions of the engagement.
The following roles in control-based engagement risk assessment projects carry specific permissions.
Requester The person who created the engagement • View the engagement and perform
request. The Requester field on the en-
any tasks associated with viewing
gagement page shows the name of the
the engagement, such as creating is-
requester, which doesn’t change.
sues.
The requester is also the default project
• Inherit permissions from member-
owner of a control-based engagement
ship in the Project Owner project
risk assessment project and is automat-
group while also a member of that
ically added to its Project Owner project
group.
group.
Owner The explicit project owner of the con- • View the engagement and perform
trol-based engagement risk assessment
any tasks associated with viewing
project. The Owner field on the engage-
the engagement, such as creating is-
ment page shows the name of the cur-
rent project owner, which might change. sues.
• Inherit permissions from member-
The requester is the default project
ship in the Project Owner project
owner of a control-based engagement
group.
risk assessment project. A user with the
appropriate permissions might change
the project owner using one of the follow-
ing mechanisms:
Project Owner project group team mem- Members of the Project Owner project • View the engagement and perform
ber group in the control-based engagement
any tasks associated with viewing
risk assessment project.
the engagement, such as creating is-
By default, the requester and any other sues, even if not a requester, owner,
user who is subsequently made owner or member of the Supplier Risk
of the project are added to the Project Engagement Governance Analyst
Owner project group in addition to any group.
members added by the project template. • Complete any tasks to which the
A user with the appropriate permissions Project Owner project group is as-
might change the group membership us- signed.
ing one of the following mechanisms:
• Add approvers or reviewers for tasks
• By editing project team member- that do not have template-defined
ship in the advanced view. You can approvers or reviewers.
both add and remove team mem- • Be the recipients for internal as-
bers using this mechanism except sessments if the assessment ques-
for the current owner, who is always tionnaire project does not have an
a member of this group. Internal Recipients project
• By choosing Action Manage group or if that project group is
empty.
team on the engagement page
[page 152]. You can add and remove
• Edit the engagement request if they
are also a member of the Supplier
team members.
Risk Engagement Requestor global
If your site uses a dedicated assignee user group.
project group for issue management
projects, when someone creates an issue
for a control-based engagement risk as-
sessment project, the current member-
ship of its Project Owner project group
is automatically copied to the issue as-
signee project group in addition to any
template-defined membership. This copy
is a one-time operation at issue creation.
There is no ongoing synchronization in
membership between the engagement
risk assessment Project Owner group
and assignee groups in its associated is-
sues management projects.
Creator of a change request A member of the Project Owner project These are the only users who can open a
team for an engagement can create a Draft change request for further editing
change request. The Created by field for and submit it.
the change request contains this name,
which does not change.
"On behalf of" user for a change request The user creating a change request can
optionally specify another user on behalf
of whom the change request is created.
Change Request Owners project Members of the Change Request For an engagement with a change re-
group team member Owners project group in the control- quest in progress, this group has the
based engagement risk assessment
same permissions as members of the
project.
Project Owner project group. In addition,
By default, the Created by user and members of this group can:
"on behalf of" user are added to the
• Cancel an in-progress change re-
Change Request Owners project
quest
group in addition to any members added
by the project template. A user with the
• Start an edit of an in-progress
change request (if this feature is en-
appropriate permissions might change
abled)
the group membership by
Depending on how your organization has set up its control-based engagement risk assessment projects, they
might include any number of other projects groups that are responsible for completing specific tasks in different
parts of the process.
Related Information
How to Change the Project Owner on the Engagement Page of a Control-Based Engagement Risk Assessment
Project [page 150]
How to Manage Team Membership of the Project Owner Group in a Control-Based Engagement Risk Assessment
Project [page 152]
How to Manage Team Membership of the Change Request Owners Project Group [page 156]
During the control-based engagement risk assessment process, the requester and various stakeholders might
notice aspects of the engagement that cannot be mitigated by standard risk controls, or for which controls are not
sufficient for one reason or another. They therefore have a direct bearing on an engagement's residual risk.
The Residual Risk field for an issue shows its residual risk based on its probability and severity. This field displays a
value once the issue severity and probability are set.
A customer administrator at your organization defines the ranges of probability and severity that can be assigned
to an issue as well as the rating of residual risk for each possible combination of the two. Typically, issues with
higher severity or probability have greater residual risk. There is not always a direct relationship, however, between
probability or severity and the residual risk rating. For example, your organization might decide that issues with
very low severity have the lowest residual risk even if they are highly probable. Conversely, issues with very high
severity might have the highest residual risk even if they are not very likely.
Each finding has a business impact value determined from its impact and likelihood (analogous to the severity and
probability for an issue). Possible business impact values are Low (1), Medium (2), High (3), Critical (4), and Show
Stopper (5).
The residual risk for an engagement shows in the Residual Risk field in the Engagement Summary area of the
engagement page.
Depending on how your site is set up, engagement residual risk is determined using one of the following methods.
• By default, an engagement's residual risk is the highest residual risk rating among the issues associated with
the engagement and its controls. If your site is set up to use findings, the business impact of each finding is
considered.
• If your site is set up to calculate residual risk by risk domain: an engagement's residual risk is the highest
residual risk rating for any control on the engagement. In this method, a control’s residual risk is determined
using one of the following:
• Issues or findings associated with the control. Note that this method considers only control- or service-
level, not engagement-level issues or findings.
If you are using a residual risk evaluation method that considers issues or findings (in other words, anything but the
domain-based Control effectiveness method): if the engagement has both findings and associated "legacy" issues
from before you enabled the findings feature, both issues and findings are considered in determining residual risk.
The Residual Risk field displays in the summary area of the engagement page once the engagement's residual risk
has been calculated.
• If using the default residual risk calculation, in which engagement residual risk is the most severe residual risk
rating for any issue (or business impact for any finding) associated with the engagement or any of its controls:
engagement residual risk is calculated as soon as an issue for the engagement has a residual risk value (or a
finding has a business impact value). It is updated as needed when related issues (or findings) are added or
their residual risk (business impact) values change.
Note
If using this method, and the engagement has not yet been approved, users with the appropriate
permissions can manually edit its residual risk rating. You can only manually edit an existing residual risk
rating. If the engagement Residual Risk field is blank, there is no way to edit the field to set it manually.
• If calculating residual risk by risk domain, engagement residual risk is calculated or re-calculated:
• When the original engagement request is completed
• When a change request or review is completed
• In response to changes in the underlying factors (issues, findings, inherent risk, or control effectiveness
levels) that determine the residual risk
Related Information
About Inherent Risk (Commodity) for Control-Based Engagement Risk Assessment Projects [page 139]
How to Change the Residual Risk of a Control-Based Engagement Risk Assessment Project [page 202]
Configuring Residual Risk Calculations by Risk Domain
Setting Up Residual Risk for Issue Management Projects
Inherent risk is risk based on the fundamental characteristics of the engagement, such as its commodities,
regions, departments, criticality. When you create an engagement request, the second step of the request is an
inherent risk screening questionnaire that asks you questions about the inherent risk of the engagement based
on the commodities, regions, and departments you selected in the first step. Your organization's control-based
risk assessment process can also score the inherent risk of an engagement directly based on the answers to the
inherent risk screening questionnaire. For example, your organization might score a Yes answer to a question about
The Inherent Risk field shows an inherent risk rating based on the answers in the inherent risk screening
questionnaire in the second step of the engagement request. This rating is always a descriptive term that is
associated with an underlying numerical score; for example, High or Low or Critical. The Engagement Summary
only shows the Inherent Risk field in engagements where all of the following conditions apply:
• A template creator in your organization has set up scoring for the inherent risk screening questionnaire.
• You have completed the second step of the engagement request, the inherent risk screening questionnaire, and
have clicked Next to submit it.
If your site uses scoring for the inherent risk screening questionnaire, the inherent risk score might affect different
parts of the control-based engagement risk assessment process, such as who approves the request and the overall
engagement.
If your site is configured to calculate inherent risk by risk domain, you can see the underlying domain ratings on the
engagement page as well as the overall inherent risk rating for the engagement.
Related Information
About Residual Risk for Control-Based Engagement Risk Assessments [page 136]
About Inherent Risk (Commodity) for Control-Based Engagement Risk Assessment Projects [page 139]
Viewing and Managing Control-Based Engagement Risk Assessment Projects [page 120]
Requesting a New Engagement and Starting a Control-Based Risk Assessment [page 140]
Inherent risk is risk based on the fundamental characteristics of the engagement, such as its commodities, regions,
departments, criticality, and so on. When you create an engagement request, the second step of the request is a
questionnaire that asks you questions about the engagement's inherent risk based on the commodities, regions,
and departments you selected in the first step. Your organization's control-based risk assessment process can also
score the inherent risk of an engagement directly based on the criticality of its commodities to your organization's
operations. For example, your organization might score any engagement for network security services as high risk
because they are critical to your organization's operations and because they always involve granting supplier or
third-party employees access to your organization's computer networks.
The Inherent Risk (Commodity) field shows this an inherent risk rating based on the engagement's commodities,
which you specify in the first step of the engagement request. This rating is always a descriptive term that
is associated with an underlying numerical score; for example, High or Low or Critical. The Engagement
Summary only shows the Inherent Risk (Commodity) field in engagements where all of the following conditions
apply:
If the engagement involves multiple commodities with different ratings, it shows the highest (most risky) score.
If your site uses commodity-based inherent risk scores, they might affect different parts of the control-based
engagement risk assessment process, such as who approves the request and the overall engagement.
Prerequisites
• You must be a member of the Supplier Risk Engagement Requestor group to create an engagement request.
• Only active suppliers are eligible for supplier engagement.
Context
In control-based risk assessment projects, the engagement request involves several steps. In the first step, you fill
out a business details questionnaire with basic information about the engagement such as its title, description, and
the commodities, regions, and departments involved. In the second step, you answer questions about its inherent
risk. In the third step, you select the supplier for the engagement, and in the final step, you review the request and
submit it for approval. Depending on your site's configuration, the step for selecting a supplier might be optional.
The questions you answer in the first and second steps match the engagement to one or more of your
organization's risk controls. Each risk control is associated with one or more assessment questionnaires. In some
cases, some of your company's suppliers have already filled one or more of these assessment questionnaires and
some of the required controls are either pending review in another engagement risk assessment project or are
already effective.
Note
Behavior concerning review of risk controls depends on your site's configuration for levels of
risk control effectiveness: the value of parameter Expanded levels of risk control effectiveness
(Application.SR.Engagement.ExpandedLevelsOfRiskControlEffectiveness), introduced with
optional feature ARI-9766.
In the third step of the engagement request, you select a supplier. The Due Diligence section of the supplier
selection page lists the risk controls required for the engagement and the suppliers in your site who match at least
one of them because of a previously started or completed engagement risk assessment. Depending on how your
site is set up, the list might be limited to registered suppliers (suppliers with approved registration projects).
• The Recommended suppliers area shows suppliers who already have unexpired matching controls for all of
the required controls in your current engagement request or who are qualified for all of the commodities you
specify in the first step of your engagement request.
• The Other area shows suppliers who match at least one of the required controls for this engagement request.
For each supplier, these areas show the number of matching controls by effectiveness level. Some controls require
a review in every engagement (engagement-level controls or controls that only have internal assessments). Some
controls only require a review once per supplier (vendor-level controls) or once per combination of supplier
and commodities (service-level controls) as long as their associated questionnaires have not expired. Ineffective
controls always require a new review.
You can use this information about matching controls to choose a supplier based on how quickly and smoothly
they are likely to move through the request approval, assessment, and control review processes to final approval
or denial of your engagement. For example, if a supplier has effective controls for all matching controls, your
engagement request has a higher likelihood of being approved, and after that it moves to final approval or denial
of the engagement. If a supplier has matching controls that are pending review, the assessment and control review
processes are already underway. On the other hand, if you want to work with a particular supplier but they do not
have any matching controls, or most of their matching controls require a review for your engagement, you can
set your expectations appropriately about the amount of time it might take to complete the entire engagement
risk assessment process. If a supplier has one or more ineffective controls, that might be an indicator that your
engagement request, or the engagement itself is less likely to get approved.
If your site's configuration allows you to submit a request without selecting a supplier, doing so might be the useful
if:
• The supplier selection step does not show any recommended or fast-tracked suppliers, or if there is no clearly
preferable choice among recommended supplier.
• You are just not certain which supplier to choose at this point.
• Your organization had a separate process for identifying the most suitable supplier after the request is
submitted or even approved.
• Your organization's control-based engagement risk assessment process is entirely internal and does not
require the engagement to specify a supplier at all.
Note
When creating an engagement request from a non-catalog purchase requisition, the behavior of the
engagement request editing wizard is somewhat different. In this case:
• Some of the questions in the business details questionnaire are automatically answered based on the
values in the requisition.
• By definition, the supplier for the engagement request matches the one on the requisition.
When creating an engagement request from a non-catalog purchase requisition, the behavior of the engagement
request editing wizard is somewhat different. In this case:
• Some of the questions in the business details questionnaire are automatically answered based on the values in
the requisition.
• By definition, the supplier for the engagement request matches the one on the requisition.
For more information, see Setting Up Your Site to Create Engagement Requests for Non-Catalog Purchases.
Procedure
Note
If the engagement details include a question about the name or title of the engagement, note that
the title must have a maximum length of 255 characters and cannot contain these special characters:
\ / : ? “ < > | # + % &.
If you have saved but not submitted the engagement request, it has the status Draft.
If you have submitted the engagement request, it has the status Submitted. The approval process for it depends
on how your company has set up its control-based engagement risk assessment process.
Next Steps
You can view the new engagement request by clicking the Engagement Requests link on the Supplier Risk
dashboard.
If you saved the request in Draft status, click the New Requests tile, then click the name of the request to open it.
If your request is still a draft, you can complete and submit it from here, or you can cancel it if you decide it is no
longer necessary.
If you submitted the request, click the In Progress tile, then click the name of the request to open it and view its
progress. If you submitted the request but the person responsible for sending out assessment questionnaires has
not yet done so, you can still edit it or cancel it. At any time when it is in progress, you can raise or help resolve
issues for the engagement.
After you have submitted the request, approvers review your answers and either approve or deny it.
If you did not select a supplier before submitting the request, you or another stakeholder can edit the request to
add a supplier at any point between your original submission and when the request is approved and the responsible
user sends assessment questionnaires.
After the responsible user sends assessment questionnaires, one of the following things happens:
• If all of the required controls are already effective, final approval for the engagement starts.
• If at least one of the required controls needs to be assessed, the assessment questionnaire recipients receive
email notifications inviting them to fill out and submit the assessment questionnaires.
• If all of the required controls have been assessed, but at least one of them requires a new review for this
engagement, control decision makers start those new reviews.
Related Information
Prerequisites
You must be a member of the Supplier Risk Engagement Requestor group to create an engagement request.
Context
When the characteristics of a non-catalog purchase requisition require that it be linked to an engagement request,
this triggers a unique workflow. Upon checkout, your purchase requisition is compared to your site's Risk
Engagement Policy. If the requisition requires a corresponding engagement request, you can choose to Create
engagement request or Link existing engagement request.
These steps describe interaction with the engagement when you choose to create a new engagement request.
In control-based risk assessment projects, the engagement request involves several steps. In the first step, you fill
out a business details questionnaire with basic information about the engagement such as its title, description, and
the commodities, regions, and departments involved. In the second step, you answer questions about its inherent
risk. In the third step, you select the supplier for the engagement, and in the final step, you review the request and
submit it for approval.
Procedure
1. From the checkout page for the requisition, choose Create engagement request. This takes you to the
business details page at the start of a new engagement request.
2. On the business details page, initial values for the engagement request name, commodity, region, and
department come from the requisition. These values are not editable until after the engagement has been
saved as a draft. Respond to other questions as needed, then choose Next to move to the next page of the
editing wizard.
Tip
The engagement request is saved as a draft when you choose Next or Save on the initial business details
page. After that point, each engagement editing page shows a message indicating this engagement is
Tip
At any point before choosing Submit request, you can exit the engagement request without submitting.
• Choose Save to save the engagement request without submitting it for approval.
• Choose Cancel to exit the engagement request without saving any changes made to the draft
engagement on the current page.
• Choose Delete to delete the draft request entirely.
Any of these choices takes you back to your requisition.
Results
If you have submitted the engagement request, you land on the engagement page, which summarizes information
about the engagement request..
• The Linked Events section shows information about the requisition linked to this engagement. From here you
can choose View to open the requisition.
• The approval process for the engagement request depends on how your company has set up its control-based
engagement risk assessment process.
If you have not submitted the engagement request, you land on the requisition page. It shows a link to the
engagement request and indicates that the engagement request has not been submitted.
Next Steps
Once there's an engagement request linked to your requisition, you can navigate back and forth between the
requisition and the engagement request.
• To return from the engagement request to the linked requisition, click the link in the message at the top of the
engagement page.
• If the owner of the requisition chooses the Show the requisition link, they land on the appropriate page
for the requisition, depending on its status.
• If a user who is not the requisition owner chooses that link, the landing location depends on their
permissions within guided buying.
• To navigate from the requisition to the engagement request, click the link on the requisition page.
You can continue the progress of a submitted engagement request by addressing any tasks assigned to you in the
Tasks area of the engagement page.
Check back on your requisition later. There may be related tasks that others need to perform, associated with
the due diligence required to approve engaging with this supplier for your requested purchase. Any activity for the
engagement request is reflected on the requisition page.
Not yet submitted You (or another authorized user) need to submit the engage-
ment request to trigger any necessary due diligence tasks.
In progress (Submitted) Due diligence is still in progress, so there is no decision yet for
the requisition.
Completed (Fulfilled) Due diligence is complete and engaging with this supplier is
approved, so your non-catalog purchase can proceed.
Context
When the characteristics of a non-catalog purchase requisition require that it be linked to an engagement request,
this triggers a unique workflow. Upon checkout, your purchase requisition is compared to your site's Risk
Engagement Policy. If the requisition requires a corresponding engagement request, you can choose to Create
engagement request or Link existing engagement request.
Note
Procedure
1. From the checkout page for the requisition, choose Link existing engagement request.
2. A popup lists available engagement requests that match your requisition's supplier, commodity, and region,
whose statuses would allow them to be linked.
• Completed status: due diligence activities are complete. This supplier has already been vetted for the
commodity and region matching your purchase request.
• If the engagement request is not completed yet, due diligence activities are in progress. These need to be
completed before your purchase can proceed.
Engagements that are neither in progress nor complete can't be selected so aren't listed here. This includes
engagements with statuses such as Draft, In Edit, or Denied.
3. Use the radio buttons to select the engagement request you want to link, and choose Link.
Results
The engagement page opens, showing a summary of information about the engagement request. Actions you can
take here depend on your permissions within this engagement request. Generally, if you are not its creator and you
do not belong to its project owner group, you can view the information but not make changes.
• At the top of the page is a message indicating that this engagement request is linked to a requisition, with a link
you can use to navigate back to it.
• The Linked Events section shows information about the requisition linked to this engagement. From here you
can choose View to open the requisition.
• If you've linked to an engagement request that is not yet completed: The approval process for an engagement
request depends on how your company has set up its control-based engagement risk assessment process.
Next Steps
Once there's an engagement request linked to your requisition, you can navigate back and forth between the
requisition and the engagement request.
• To return from the engagement request to the linked requisition, click the link in the message at the top of the
engagement page.
• If the owner of the requisition chooses the Show the requisition link, they land on the appropriate page
for the requisition, depending on its status.
• If a user who is not the requisition owner chooses that link, the landing location depends on their
permissions within guided buying.
• To navigate from the requisition to the engagement request, click the link on the requisition page.
You can continue the progress of a submitted engagement request by addressing any tasks assigned to you in the
Tasks area of the engagement page.
If the linked engagement is not in a Completed status, check back on your requisition later. There may be related
tasks that others need to perform, associated with the due diligence required to approve engaging with this
supplier for your requested purchase. Any activity for the engagement request is reflected on the requisition page.
In progress (Submitted) Due diligence is still in progress, so there is no decision yet for
the requisition.
Completed (Fulfilled) Due diligence is complete and engaging with this supplier is
approved, so your non-catalog purchase can proceed.
Prerequisites
When an engagement project is selected for upgrade, the template upgrade activity can be initiated from the
Action menu on the engagement page. On the successful completion of the template upgrade, the engagement
project is moved into an edit (if it was in progress before the upgrade), or into a change request (if it was completed
before the upgrade). Review the business details and inherent risk screening documents, and then submit the
request details, before proceeding. Completing the edit or the change request is required to apply the changes
from the new template to the engagement project.
Procedure
1. Go to the Supplier Risk dashboard, click the Engagement Requests tile, and then click the In Progress or
Completed link.
Tip
If the action queue is enabled, you can click it to go to the engagement project, or you can access the
engagement project through the email notification, if your customer administrator configured them.
2. Locate the engagement project and click its name to open it.
Note
If Upgrade isn’t in the Action menu, the engagement project isn’t available for a template upgrade.
The upgrade could take some time. By default, template upgrade processes asynchronously: while it's in
progress, you can take other actions.
Once the upgrade has started, you can't stop it. If the engagement project was in status In Progress before
the upgrade, you can't revert the edit but you can make changes after you complete (submit) the edit. If the
engagement project was in status Completed before the upgrade, you can edit the change request, or you
can complete the change request and then cancel it.
An email notification is sent to the Project Owner project group that the template upgrade was either a
success or failure. If the upgrade failed, repeat step 3 one more time. If the upgrade fails again, the Upgrade
option is no longer in the Action menu and you should contact your administrator to resolve the failure.
When the template is finished upgrading, you’re taken to either the engagement project in edit mode, if it was
in progress before the upgrade, or into a change request if the engagement project was completed before the
upgrade.
4. Review the business details and inherent risk screening documents, and then submit the request details so the
engagement project is updated to the latest template. You need to complete (submit) the edit or complete the
change request (initial and final approval phases) for the template upgrade to be completed.
Note
When the upgrade is complete, you can find the template upgrade activity on the Engagement History
page. Click the Activity date for the template upgrade on the Engagement History page and view the
Results
An email notification is sent to the Project Owner project group, and the Change Request Owners project group
(if applicable) when the edit or change request created by the template upgrade is completed.
Related Information
Prerequisites
The self-service site configuration parameter Enable change project owner action on the engagement page
(Application.SR.Engagement.ChangeOwnerAction) enabled by default.
To change the project owner of a control-based engagement risk assessment project from the project page, you
must have permission to view its engagement page.
You can only change project owners to a member of the Supplier Risk Engagement Requestor or Supplier Risk
Engagement Governance Analyst group.
Context
By default, the person who creates the project (the requester) is the project owner. The project owner
automatically has special permissions in the project: they can view a control-based engagement risk assessment
If a user other than the person who creates the project (the requester) is intended to be the project owner, this
change doesn’t take effect until the engagement project is submitted at least once.
Only one person at a time can be the owner of a project. You can also add people to the Project Owner project
group [page 152]. Members of the Project Owner project group can view the project and complete any tasks
assigned to that group but aren’t the actual project owner.
You can change the owner of a control-based engagement risk assessment project from the engagement page
when the project is any phase, including after the project is finally approved.
Procedure
Note
If a user profile is deactivated, the user is no longer visible in the Manage team popup.
Results
On the engagement page, the Requester field continues to show the name of the original requester, but the Owner
field now shows the new project owner. The new owner receives an email notification letting them know that
they’ve been added to the project as an owner. The new owner is also automatically added to the Project Owner
project group. If it didn’t before, the engagement risk assessment project now shows in the Engagement Requests
area of their Supplier Risk dashboard.
If your site uses a dedicated assignee project group for issue management projects, when someone creates
an issue for a control-based engagement risk assessment project, the current membership of its Project
Owner project group is automatically copied to the issue assignee project group in addition to any template-
defined membership. This copy is a one-time operation at issue creation. There’s no ongoing synchronization in
membership between the engagement risk assessment Project Owner group and assignee groups in its associated
issues management projects.
Related Information
How to Manage Team Membership of the Project Owner Group in a Control-Based Engagement Risk Assessment
Project [page 152]
About requesters, project owners, and members of the Project Owner and Change Request Owners project teams
[page 133]
Prerequisites
The self-service site configuration parameter Enable manage project team action on the engagement page
(Application.SR.Engagement.ManageProjectTeamAction enabled by default.
To add or remove a team member or global user group in the Project Owner project group of a control-based
engagement risk assessment project from the engagement page, you must have permission to view it.
You can add or remove any global user group or any member of the following groups from the Project Owner
project group:
Context
Members of the Project Owner project group can view a project regardless of their other permissions. Depending
on how your control-based engagement risk assessment process is set up, they might also be approvers, task
owners, or have other roles in the project. Depending on how issue management projects are set up in your site,
members of the Project Owner group of a control-based engagement risk assessment project might also become
assignees for any issues created for it.
Note
Users can’t remove themselves (the currently logged in user), or the explicit project owner.
Adding or removing global user groups, adds or removes the group. Example: USER_A is a team member of the
Project Owner group individually, and is also a member of GROUP_B global user group. If GROUP_B is removed
from the Project Owner group, the individual team member, USER_A, isn’t removed. Only the GROUP_B global
user group is removed.
If a user profile is deactivated, the user is no longer visible in the Manage team popup.
Procedure
2. On the Manage team popup, click the pencil icon ( ) next to Project team, search for the people or global
user groups that you want to add to the Project Owner group, and select them. Uncheck those that you want
to remove.
3. When you’re done, click Save and then Confirm.
Results
The team members you added to the Project Owner group of the engagement risk assessment project can
perform any tasks assigned to that group. They receive an email notification letting them know that they’ve been
added to the Project Owner group in the project. If it didn’t before, the engagement risk assessment project now
shows in the Engagement Requests area of their Supplier Risk dashboards.
The team members you removed from the Project Owner group of the engagement risk assessment project no
longer have any of the permissions associated with the Project Owner group. They receive an email notification
letting them know that they’ve been removed from the Project Owner group in the project.
If your site uses a dedicated assignee project group for issue management projects, when someone creates an
issue for a control-based engagement risk assessment project, the current membership of its Project Owner
project group is automatically copied to the issue assignee project group in addition to any template-defined
membership. This copy is a one-time operation at issue creation.
You can add or remove team members or global user groups in the Project Owner group at any time. Note that
there currently is no ongoing synchronization in membership between the engagement risk assessment Project
Owner group and assignee groups in its associated issues management projects after an issue is created.
About requesters, project owners, and members of the Project Owner and Change Request Owners project teams
[page 133]
How to Change the Project Owner on the Engagement Page of a Control-Based Engagement Risk Assessment
Project [page 150]
How to Manage Team Membership of the Change Request Owners Project Group [page 156]
If the enhancements to engagement task management feature (ARI-6919) is enabled in your site, there is an
engagement task list for every engagement risk assessment project in which you own uncompleted tasks either
through assignment to you as an individual or because you are a member of a project group that owns the task
To open the task list for an engagement project, click the number of your tasks or group tasks in the My tasks/
Group tasks column of the dashboard engagement list. That column shows the number of uncompleted tasks that
are assigned to you individually and the number of uncompleted tasks that are assigned to project groups to which
you belong, separated by a forward slash (/).
Note
If you are a member of the Supplier Risk Engagement Governance Analyst group and you are not assigned to
a task individually or as a member of another group, the 0 for Group tasks is a link. This allows you to see a list
of all tasks for the engagement.
Due within 7 days Uncompleted tasks that are overdue or are due within the next
7 days. Tasks can only appear on this list if they are configured
with due dates in the project template.
Note that the same task can show on both the Due within 7 days tab and either the My tasks tab or the Group
tasks tab.
Once a task is active, you can perform the following actions on it from the engagement task list:
Note
Since the To Do task for sending assessments is a standalone To Do task rather than a To Do task on an
engagement project questionnaire, you cannot assign it.
Tip
If you are a member of the Supplier Risk Engagement Governance Analyst group, you have permission to see
all engagements and to assign or reassign all eligible tasks, even if you are not a task owner or control decision
maker for them. The task counts in the My tasks/Group tasks column reflect your ownership of tasks, but you
can always access the full list of tasks available for you to assign.
Example
If you do not own any tasks, you see a task count of 0/0 in the My tasks/Group tasks column. In this
case, the 0 for Group tasks is a link. When you click on it, the engagement task list shows all tasks for the
engagement.
If your user owns one task but no tasks are assigned to you as a group member, the task count would be
1/0. In this case, both 1 and 0 would be links.
Clicking the navigation icon ( ) returns you to the dashboard engagement list.
How to Assign or Reassign a Control Review or Questionnaire To Do Task for an Engagement [page 188]
Using the Action Queue [page 124]
About Working with an Engagement While Updates Are in Process [page 169]
Managing an Engagement After an Update Processing Error [page 172]
Prerequisites
To enable adding or removing team members or global user groups in the Change Request Owners project
group from the engagement page, a member of the Customer Administrator group in your organization must
enable the change request feature using the self-service site configuration parameter Allow change requests
(Application.SR.Engagement.AllowChangeRequest). For information about how to manage parameters,
see Intelligent Configuration Manager Administration.
To add or remove team members in the Change Request Owners group of a control-based engagement risk
assessment project from the project page, you must be both of the following:
• A member of the Project Owner or Change Request Owners project group for the engagement project
• A member of the Supplier Risk Engagement Requestor user group
The following global user groups, or individual users belonging to any of them, are eligible to be added to the
Change Request Owners project group:
Context
Members of the Change Request Owners project group can view an in-progress change request regardless of
their other permissions. Depending on how your control-based engagement risk assessment process is set up,
they might also be approvers, task owners, or have other roles in the project. Depending on how issue management
You can add or remove team members and global user groups in the Change Request Owners group of a
control-based engagement risk assessment project in any phase.
Note
Users can’t remove themselves (the currently logged in user), the user who created the change request, or the
"on behalf of" user if one was specified.
Adding or removing global user groups, adds or removes the group. Example: USER_A is a team member of
the Change Request Owners group individually, and is also a member of GROUP_B global user group. If
GROUP_B is removed from the Change Request Owners group, the individual team member, USER_A, isn’t
removed. Only the GROUP_B global user group is removed.
If a user profile is deactivated, the user is no longer visible in the Manage team popup.
Procedure
Results
The team members you added to the Change Request Owners group of the engagement risk assessment
project can perform any tasks to which that group is assigned. They receive an email notification letting them know
that they've been added to the Change Request Owners group in the project. If it didn’t before, the engagement
risk assessment project now shows in the Engagement Requests area of their Supplier Risk dashboards.
The team members you removed from the Change Request Owners group of the engagement risk assessment
project no longer have any of the permissions associated with the Change Request Owners group. They receive
an email notification letting them know that they’ve been removed from the Change Request Owners group in
the project.
Prerequisites
You can only add approvers to a control-based engagement request or engagement risk assessment project if there
are no approvers defined for the relevant task in the template.
Context
When an approval task for an engagement request has no approver assigned via the engagement template, certain
users can add "ad hoc" approvers.
You can add either individual users or system user groups such as Supplier Risk Engagement Expert as approvers.
If you choose a user group, the first member of the group to respond completes the approval task. If you select
multiple users or groups, they are all added as parallel approval nodes in the approval flow.
You can also use this procedure to add reviewers to review tasks for which there is no review flow defined in the
template. However, note that this information applies only to review tasks that a template creator has added to
the control-based engagement request process. It does not apply to risk control effectiveness reviews, which are
always automatically assigned to the decision maker for the control.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the In
Progress tile, locate the engagement, and click its name.
2. Locate the engagement and click its name.
3. In the Pending Tasks list, locate the approval task and click Add Approvers.
4. To locate the approvers you want to add, enter group or user names in the Search field.
5. Check the users and groups you want to add.
6. Click Update.
The users or user groups are added to the approval flow for the current task. When the task starts, those users,
or the individual members of those user groups, receive notifications that they need to approve the engagement
request or the entire control-based risk assessment project.
Related Information
Context
Once a requester submits an engagement request and its approval flow starts, it has In Progress status for the
request approval phase.
As the approver, if you believe that an engagement request requires further investigation or mitigation, in addition
to denying it, you also have the option of approving it but raising an issue for it.
Procedure
• Click the link in the approval task email notification to open the engagement request.
• Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the In
Progress tile, locate the engagement, and click its name.
2. In the Request Details area, review the answers to the engagement request filters questionnaire and the
inherent risk screening questionnaire in the engagement request.
3. In the Pending Tasks list, for the approval task, click Approve/Deny.
Results
If you are the final approver and you approve the request, the control-based risk assessment project moves
to In Progress status for the evidence and control phase and the assigned person in your organization sends
questionnaires related to the engagement's required controls to suppliers. If you deny the request, it moves to
Request Denied status and no further action can be taken.
Note
If you are using the basic approval workflow, after completing the Request Approval phase, the engagement
request moves immediately to Completed status.
Next Steps
If the request is denied, and you are either an approver or a member of the Supplier Risk Engagement
Governance Analyst group, you can resubmit the approval. Resubmitting the approval restarts the approval flow
from the beginning so that approvers can make a different decision. To resubmit the approval, on the engagement
page, click View to open the approval task details page, then click Resubmit.
You can only resubmit the approval for a denied engagement request. If the request is approved and you no longer
believe it is needed, someone in your organization who has the appropriate permissions can cancil it [page 174]
instead.
Related Information
Prerequisites
The advanced send assessments workflow self-service parameter, Enable advanced send assessment workflow
for engagement projects (Application.SR.Engagement.EnableAdvancedSendAssessment), must not be
enabled in your site.
To change the recipient of assessment questionnaires for a control-based engagement risk assessment, you must
be the owner of the To Do task for triggering the evidence and control process in the project.
Context
You can change the recipient of external assessment questionnaires on the engagement page if you're using the
simple workflow for sending assessments.
After the assessments are sent out, the recipient can only be changed by updating the request in a modular
questionnaire.
Procedure
Tip
The button is grayed out if the assessments have already been sent, or if there's no contact to change.
4. In the Change recipient popup, select the supplier contact that you want to receive the assessments.
Tip
If there isn't a primary contact for the supplier, an external assessment isn't sent.
5. Click OK.
The selected supplier recipient appears as the Recipient name in the Supplier section on the engagement page.
When the external assessment is sent, the selected supplier recipient appears as the Assignee in the Risk
Assessments section on the engagement page.
Prerequisites
To edit a submitted or approved engagement request, you must be the project owner, a member of the Project
Owner project group, or a member of the Supplier Risk Engagement Governance Analyst group.
Context
This simple editing procedure applies to sites not configured for advanced editing and canceling. In this case, you
can edit an engagement request when it is in Submitted or Pending Assessment status. Once the responsible user
has sent at least one assessment for the required controls and the control-based engagement risk assessment
project has moved to In Assessment status, you can no longer edit the engagement request.
If your site configuration allows the requester to submit the request with no supplier selected, and your
organization's processes require that the supplier eventually be added to the engagement, you do so up until
the first assessment is sent by editing the request.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the In
Progress tile, locate the engagement, and click its name.
2. In the upper right corner of the engagement page, choose Action Edit Request .
3. Using the Next and Back buttons, to navigate to different steps of the request and edit information as needed.
Results
Depending on the changes you made and your organization's control-based engagement risk assessment process,
the request might now be fast-tracked for final approval, require assessment for more or fewer required risk
controls, or see no changes.
Related Information
Prerequisites
• You must be the project owner, a member of the Project Owner project group, or a member of the Supplier
Risk Engagement Governance Analyst group.
Context
This advanced editing procedure applies to sites configured for advanced editing and canceling. In this case, you
can edit an engagement request at any point before final approval, including requests that were denied.
Previously submitted requests change to status In Edit until they are re-submitted. While a request is in In Edit
status:
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the In
Progress tile, locate the engagement, and click its name.
2. In the upper right corner of the engagement page, choose Action Edit request . A confirmation message
lists general rules of the editing process, and requires entry of Reason text to continue.
3. Use the Next and Back buttons to navigate to different steps of the request and edit information as needed.
When editing a previously submitted request:
• Changes to business details may cause screening questions to be added or removed. When you click Next
after making such changes, business detail changes are saved and the number of questions added and
removed is noted on the Inherent Risk Screening Questions page.
• Changed answers to the Inherent Risk Screening Questions may cause risk controls to be added or
removed. When you click Next after making such changes, changes are saved and the number of controls
added and removed is noted on the supplier selection page.
• On the supplier selection page:
• If this request already has a supplier but external assessments have not been sent, you can change the
supplier.
• If this request has a supplier and external assessments have already been sent, you cannot change the
supplier.
• If your configuration allows this, the request being edited may not already have a supplier: in this case,
you can select a supplier during edit.
• Each section of the Review Request page highlights additions and changes. Completed tasks that are no
longer relevant are shown on a Withdrawn tasks tab in that section of the review page.
4. If you need to exit an In Edit request without submitting it, you can:
• Choose Save at any point to save your changes without submitting. The request is included in the list of In
Process engagement requests, with status In Edit.
• To continue editing, the same user can return to Step 1 and re-open the request, with a choice to
continue editing or to open the summary page for the engagement request.
• Other authorized users can view a request whose status is In Edit, and complete tasks other than
Send Assessments in the due diligence workflow, but they cannot take over the editing.
Results
Depending on the changes, any tasks that have progressed during the edit, and your organization's control-based
engagement risk assessment process, appropriate tasks are activated and corresponding notifications are sent.
For a more detailed discussion of how tasks, assessments, and controls are treated during edit and after the edited
engagement request is re-submitted, see Treatment of tasks, controls, and assessments during and after edit in
About Editing a Previously Submitted Engagement Request (Advanced Editing Only) [page 165].
Related Information
This topic applies only to sites configured for advanced editing and canceling of engagement requests.
The following table summarizes actions users can take for an engagement request whose status is In Edit.
Generally, all existing tasks associated with the request can continue, with the exception that assessments cannot
be sent.
Reopen a saved In Edit request for further editing (upon opening, can choose to edit X (upon opening, sees the summary
or to view summary page) page only)
Send assessments No user can send assessments while an engagement request is being edited
Significance of Changes
When you submit an edit to an engagement request, the proposed changes are evaluated for significance.
• An engagement request has significant changes when they result in the addition of one or more controls.
• If you change the response for an attribute or question defined in the project template with the supplier field
mapping project.reapprove, this change is considered insignificant requiring approval.
• Removal of a control can be considered significant or insignificant requiring approval,
depending on the setting for the parameter Treat control removal as a significant change
(Application.SR.Engagement.TreatControlRemovalAsSignificant) [page 404].
• Changes to the request are considered insignificant when they do not result in addition or removal of controls.
• A change of supplier is always treated as a significant change, even if no controls are added or removed.
• If a new commodity was added, triggering re-review for a service-type control specifically for this new service:
this is not the addition of a control and thus is not considered a significant change. The new service alone does
not re-trigger the approval task..
The result of this evaluation affects the downstream due diligence tasks for the engagement request. When the
edited request is submitted:
• If the changes are significant, all approval tasks for the engagement request are reactivated.
• If the changes are insignificant requiring approval, the Request Approval phase is reactivated. Which tasks
within that phase are reactivated depends on the setting for the parameter Reopen all initial approval phase
tasks for insignificant changes requiring approval
(Application.SR.Engagement.ReopenAllInitialApprovalPhaseTasksForInsignificantChanges
RequiringApproval) [page 394].
• If the changes are insignificant:
Changes made to the engagement request are captured for auditing purposes.
• Editing user and the Reason comment entered at the start of the edit
• Timestamp when request was opened for edit
• Business detail changes
• Inherent risk screening questions added and removed
• Changed responses to Inherent risk screening questions
• Risk controls and assessments added and removed
• Changes to supplier selection
• If the edit is canceled (reverted), this action is captured with a timestamp.
When you edit a previously submitted engagement request, the associated tasks, controls, and assessments may
be affected by the changes. The following table summarizes the treatment of existing, new, and removed tasks,
assessments, and controls through the editing process.
Existing tasks Start of editing: Current task statuses are captured. Send assessments task deactivated.
During edit
All open tasks can pro- Send assessments is All open tasks can pro- All open tasks can pro-
ceed. deactivated and so can- ceed, so if assessments ceed.
not proceed. were already sent, sup-
pliers can submit evi-
dence.
Upon re-submit
Approval tasks may If there are (new or Evidence collection Engagement-type con-
be reactivated, and no- previously existing) as- tasks have the same trols: re-trigger control
tifications sent to ap- sessments to be sent, status as before the review tasks.
provers, depending on the Send Assessments edit, or the status cor-
Service-type controls:
the significance of the task is reactivated, and responding to any activ-
If a new commodity was
changes to the engage- notification is sent to ity that has taken place
added and control did
ment request. the user assigned to during the edit.
not already have an ef-
the Send Assessments
Evidence already col- fectiveness status for
task.
lected is retained. it: trigger control review
for this commodity.
Vendor-type controls:
If review pending: re-
mains active during
edit. If previously re-
viewed and not pend-
ing: not reactivated,
even if changes to the
engagement request
were significant.
Added controls, as- Not applicable: Approval tasks and the Send Added assessments, controls, and their related
sessments, and tasks Assessments task were created when the en- tasks are processed as appropriate, similar to a
gagement request was originally submitted new engagement request.
Controls, assess- Not applicable: Appro- Not applicable: Send Removed assessments Removed controls are
ments, and tasks no val task may be re- Assessment task may
are no longer visible no longer visible in the
longer relevant to the activated in response be reactivated in re-
in the Assessments Controls area of the en-
changed engagement to changes, but not re- sponse to changes, but
request moved. not removed. area of the engagement gagement page.
page.
If the control is not re-
If the assessment is quired for any other en-
not required for any gagement request, the
other engagement re- related control review
quest, the related task task is Withdrawn and
is Withdrawn and ap- appears on that tab.
pears on that tab. Noti-
If the control is still re-
fication is sent to the
quired for another en-
supplier.
gagement request, this
If the assessment is task is retained and visi-
still required for another ble on summary pages
engagement request, it for those engagement
is retained and visible requests.
on summary pages for
Corresponding notifica-
those engagement re-
tions sent to stakehold-
quests.
ers.
Related Information
How to Edit an Engagement Request for a Control-Based Engagement Risk Assessment (Advanced Workflow)
[page 163]
Certain actions on an engagement require processing to handle results of the action. For example, after you
Submit request for an engagement edit that involves a significant change, the system might need to reactivate a
number of phases and tasks. During this time, interaction with the engagement is limited so that users can't make
additional changes that conflict with the ones being processed.
Note
The behavior described below relies on two parameters, both enabled by default. If a Customer Administrator
has disabled one or both, the corresponding visual feedback described in this topic does not apply.
Manage user interactions during send assessments Enables the changes to the user interface and behavior re-
processing lated to the Send Assessments task.
(Application.SR.Engagement.SendAssessment
sProcessingBehavior
Manage user interactions during update processing Enables the changes to the user interface and behavior re-
(Application.SR.Engagement.UpdateProcessi lated to other actions such as submitting a new or edited
ngBehavior engagement request.
If the update processing is not virtually immediate, visual cues and informational messages on the engagement
page describe the state of the engagement or one of its tasks after you
• Submit an engagement request, change request, or review, or an edit to one of these projects
• Start the Send Assessments task
• Select Action Cancel request , Cancel change request, or Cancel review
• Process a task on the engagement, such as To Do, approval, or control review.
You also might see them when you first open an engagement, if someone else has recently taken one of these
actions.
• While updates are in process: to clarify why, for example, some Action menu choices are disabled.
Send assessments task Badge next to engagement name: Editing an engagement request
Processing Send Assessments task
Canceling an engagement, change re-
The word Processing replaces the Start quest, or review
button for the task
Submit request or Submit review for Engagement status and badge next to Completing tasks
a new or edited engagement request,
engagement name both say: Processing
change request, or review Using the Action menu
Changes
An Action menu item such as Cancel
review
A task listed in the Tasks area of the en- The word Processing replaces the Start Interacting with that task
gagement page button for the task
• The task disappears from the Pending tasks tab and is listed on the the Completed tasks tab.
• The Processing notation for the task is replaced with a View button, allowing you to see the history of that task.
• You can use the Refresh Status link at the top of the Tasks list to refresh this area with current information.
Related Information
Note
The behavior described below relies on two parameters, both enabled by default. If a Customer Administrator
has disabled one or both, the corresponding visual feedback described in this topic does not apply.
Parameter Description
Manage user interactions during send assessments Enables the changes to the user interface and behavior re-
processing lated to the Send Assessments task.
(Application.SR.Engagement.SendAssessment
sProcessingBehavior
Manage user interactions during update processing Enables the changes to the user interface and behavior re-
(Application.SR.Engagement.UpdateProcessi lated to other actions such as submitting a new or edited
ngBehavior engagement request.
• if you remain on the engagement page after clicking Submit request, for example, and the updates encounter
a problem
• when you open an engagement for which an action (yours or someone else's) has failed.
• The Status of the engagement returns to the last state before the processing encountered a problem.
• A banner message at the top of the page gives some information about the problem.
• For a Send Assessments error, you can click Refresh Status and then try again to send assessments.
• For other errors, the banner message includes a Retry link if your user is authorized to take action, based
on the engagement's current status.
Your options for responding depend on which type of action had an update processing error.
If updates fail for a new engagement request, it is saved in The requestor can make changes in the wizard or just re-sub-
Draft status. Only the requestor can open the draft.
mit from the Review request page.
Submit new change request or review Landing page: Engagement editing wizard
If updates fail for a new change request or review, it is The creator or the "on behalf of" user can choose to:
saved in Draft status.
• Make any needed changes in the wizard, then re-submit
• For a change request, only the original creator or the
from the Review request page
"on behalf of" user can open the draft.
• For a periodic or ad hoc review, only the original • Delete the draft from the business details page (the first
creator can open the draft. page of the wizard)
Submit an edit for an engagement request, change request, Landing page: Engagement editing wizard
or review
Visual cue: Banner message concerning failure.
Note
The original editor can:
If updates fail for an edit, the engagement is saved and
its status is In Edit. Only the original editor can open and • Make any needed changes in the wizard, then re-submit
re-submit the edit. from the Review request page
• Choose Revert edit if the change is no longer needed
Cancel an engagement request, change request, or review Landing page: Engagement page
If the message has a Retry link, you can use it to retry the
cancelation. Otherwise, you can't take action on this project
until an authorized user resolves the error.
Related Information
Prerequisites
To cancel an engagement request, you must be the project owner, a member of the Project Owner project group,
or a member of the Supplier Risk Engagement Governance Analyst group.
Context
This simple canceling procedure applies to sites not configured for advanced editing and canceling. In this case,
you can cancel an engagement request when it is in Submitted or Pending Assessment status. Once the
responsible user has sent at least one assessment for the required controls and the control-based engagement
risk assessment project has moved to In Assessment status, you can no longer cancel the engagement request.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the In
Progress tile, locate the engagement, and click its name.
2. In the upper right corner of the engagement page, choose Action Cancel Request .
3. Click OK to confirm that you want to cancel the request.
Results
The control-based engagement risk assessment project is now in Request Cancelled status. You can view it on the
Completed tile of the Engagement Requests area.
Control statuses are unchanged. In the case of vendor- or service-level controls, any existing control review
decisions are also unchanged.
Prerequisites
• You must be the project owner, a member of the Project Owner project group, or a member of the Supplier
Risk Engagement Governance Analyst group.
• The request must not be in In edit status with a different user.
Context
This advanced canceling procedure applies to sites configured for advanced editing and canceling. In this case, you
can cancel an engagement request at any point before final approval, including requests that were denied.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the In
Progress tile, locate the engagement, and click its name.
Results
The control-based engagement risk assessment project is now in Request Canceled status. You can view it on the
Completed tile of the Engagement Requests area.
Pending Tasks are deactivated and displayed in the Withdrawn tasks tab on the engagement page.
Control statuses and any existing control review decisions are unchanged.
Any assessment evidences already received from the supplier are retained.
• If the canceled engagement request was the only one for which the assessment was needed, it is deactivated
and the supplier can no longer submit a response.
• If the assessment is still required for an engagement request other than the one being canceled, the supplier
can still submit evidence for that assessment.
Appropriate notifications are sent to stakeholders, reflecting the withdrawn tasks and canceled engagement
request project.
Related Information
Prerequisites
To send assessment questionnaires for a control-based engagement risk assessment, you must be the owner of
the To Do task for triggering the evidence and control process in the project.
Context
The required assessment questionnaires for a control-based engagement risk assessment project are determined
by its applicable controls, which are in turn determined by the requester's answers to questions in the engagement
request. In the simple workflow for sending assessments, you cannot choose which assessments to send, but you
must complete the To Do task to send them. Completing the task automatically sends the assessments.
Even if recipients have completed all required assessments, you must still complete the send assessments To Do
task so that the control-based engagement risk assessment process can move to the next phase. In this case,
completing the task does not send any assessments.
An assessment might be set up to import responses. When you "send" such an assessment, you are requesting to
import the supplier's response.
Assessments are modular supplier management questionnaires, and each might have its own approval flow. After
a recipient has submitted answers to a modular supplier management questionnaire (either as a standalone
questionnaire or as part of another control-based supplier engagement risk assessment), and those answers have
been approved, the assessment questionnaire is approved until it expires (if ever). The To Do task for sending
assessments only invites recipients to fill out or update an assessment questionnaire if it is new, if it has expired, or
if it is expiring (a notification of pending expiration has been sent). If the questionnaire is already approved, it is not
included in this round of invitations.
In the simple workflow for sending assessments, you cannot choose recipients for individual questionnaires. The To
Do task for sending assessments automatically sends the questionnaires to:
• (External questionnaires) the primary supplier contact or all of the supplier's contacts (for new questionnaires)
or the supplier contact who previously submitted the questionnaire (for questionnaire updates).
• (Internal questionnaires) the members of the questionnaire project Internal Recipient group or, if that
project group is empty or is not present in the project, all members of the Project Owner project group
of the engagement risk assessment project where the internal assessment was sent. For information about
how to define membership in the Internal Recipients group, see About Modular Supplier Management
Questionnaires in Control-Based Engagement Risk Assessment Projects in Setting Up SAP Ariba Supplier Risk.
If all of the following conditions apply to the engagement, you or someone else in your organization must edit
the engagement request to set the supplier before you complete the send assessments To Do task:
• Your site's configuration allows the requester to submit an engagement request with no supplier selected.
• The engagement does not have a supplier set when it is time to send assessments.
• The required controls include at least one unapproved external (supplier-facing) assessment questionnaire.
• Your site is configured without advanced editing and canceling.
Once the send assessments To Do task is complete, there is no way to edit the request to add a supplier
to the engagement. In the simple workflow, completing the send assessments To Do task with no supplier
selected sends internal assessment questionnaires for the engagement's required controls, but does not send
any external assessments (since no supplier is selected, there is no recipient for external questionnaires).
In this case, sending assessments is a one-time operation and there is no way to resend them. If the
engagement's controls only use internal questionnaires, the engagement risk assessment project can proceed
through control review and final approval with no supplier selected. However, if the engagement involves even
one external questionnaire that the supplier must complete and there is no supplier selected, the external
assessment questionnaires are not sent, the associated control reviews cannot start, and the control-based
engagement risk assessment project becomes stuck.
If the first three conditions above are true, but your site is configured for advanced editing and canceling, the
engagement request is editable at any point before the final approval task is completed. In this case, you can
add the supplier after sending assessments..
Procedure
• Click the link in the To Do task email notification to open the engagement request.
• From the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, click the In
Progress tile, locate the engagement, and click its name.
2. In the Pending Tasks list, for the To Do task to send assessments, click Start.
3. A popup confirms that the assessments for the engagement's required controls have been sent. Click OK to
dismiss it.
Results
SAP Ariba Supplier Risk automatically sends recipients invitations to fill out the unapproved assessment
questionnaires for all required controls in the current engagement risk assessment project.
• If an internal assessment questionnaire has multiple recipients (for example, because the project Internal
Recipients group includes multiple people or a global user group with multiple members), all recipients
receive the invitation, and the first person to respond fills out and submits the questionnaire.
• If an external assessment is set up to import responses, SAP Ariba Supplier Risk does not send notifications
to the supplier asking them to respond, because in this case we are importing a response that the supplier
The Risk Assessments area of the engagement page lists all of assessments sent as part of this engagement risk
assessment project. You can click View to the right of an assessment questionnaire to view it.
If the engagement has any controls that are open but are associated with questionnaires that have already
been completed, control decision makers now see a Review button for them in the Risk Controls area of the
engagement page.
Next Steps
Recipients now fill out or update and submit the assessment questionnaires you sent. Once they have done so,
depending on how those assessment questionnaires are set up, approvers might need to approve their answers
before control decision makers can review any open controls and mark their effectiveness.
The external assessment questionnaires for all of the required controls in current engagement risk assessment
project, including those that were already approved and those sent in this step, are available on the Questionnaire
tile of the supplier's 360° profile. Task owners and approvers can complete assigned tasks for external assessment
questionnaires there or by choosing Manage My Tasks .
Internal assessment questionnaires for the required controls do not show on the Questionnaires tile. Users with
the appropriate roles can view them on the Home dashboard. Approvers can approve or deny internal assessment
questionnaires by choosing Manage My Tasks .
Related Information
Prerequisites
To send assessment questionnaires for a control-based engagement risk assessment project, you must be the
owner of the To Do task for triggering the evidence and control process in the project.
To select which assessments to send, send assessments in more than one round, and choose assessment
recipients, the advanced send assessments workflow must be enabled in your site.
Context
The required assessment questionnaires for a control-based engagement risk assessment project are determined
by its applicable controls, which are in turn determined by the answers the requester provided to questions in the
engagement request. When you start the send assessments To Do task, the send assessments page shows a list of
all of the assessments that are required for the current control-based engagement risk assessment project.
Assessments are modular supplier management questionnaires, each of which might have its own approval flow.
After a recipient has submitted answers to a modular supplier management questionnaire (either as a standalone
questionnaire or as part of another control-based engagement risk assessment), and those answers have been
approved, the assessment questionnaire is approved until it expires (if ever). You can only send assessments that
are new, have expired, or are expiring (a notification of pending expiration has been sent). If the assessment
questionnaire was already sent to the recipient and either the recipient has not yet responded, the response is in
approval, or the response has been approved and the questionnaire is still in Approved status, you do not send it
again.
You can send all available assessments at once, or select specific assessments to send in different rounds. For
example, if your site allows requesters to submit engagement requests with no supplier selected and the required
controls for an engagement use both internal and external assessments, you can send internal assessments in one
or more initial rounds, then select a supplier and send external assessments.
The supplier selection on the engagement request remains editable until you send at least one external
assessment.
• If your site is configured for advanced edit, you can edit the engagement request to add or change the supplier,
until you have sent at least one external assessment.
• If your site does not use advanced edit, the engagement request is no longer editable after you send at least
one assessment (whether internal or external). You can still add a supplier to the engagement from the send
assessments page if needed.
• There is no supplier selected for the engagement yet. You cannot send external assessments for engagement-
level controls until you select a supplier for the engagement, since there is no recipient. You also cannot send
either external or internal assessments for vendor- or service-level controls until you select a supplier for the
engagement, since those controls can apply to a supplier across multiple engagements and there is no way to
tell whether the associated assessments were sent in another engagement risk assessment project until you
select the supplier. To send these assessments, select a supplier for the engagement.
• The supplier selected for the engagement does not have any contacts. You cannot send any external
assessments to a supplier with no contact. To send the assessments, add a contact to the supplier in their
360° profile or contact your administrator so that they can add a contact to the supplier using data import.
• There is a supplier selected for the engagement, but the assessment was already sent in another engagement
risk assessment project and it is not now expiring or expired.
The send assessments To Do task remains open until you have sent all of the available assessments, after which it
automatically completes.
The list of required assessments includes the name of the default recipient for each assessment. Before you send
an assessment, you can change its recipient as follows:
External The primary supplier contact (for new Any other contact associated with the
questionnaires) or the supplier contact supplier.
who previously submitted the question-
naire (for completed questionnaires).
If all required assessments for the current engagement were already sent in previous engagement risk assessment
projects, you must mark the send assessments To Do task complete so that the control-based engagement risk
assessment process can move to the next step.
Procedure
The send assessments page opens. It includes a list of the required assessments for the engagement,
with their visibility type, assignee (recipient), and the date that any previously sent assessments were sent.
Assessments that are not currently available for sending are grayed out.
3. If all of the required assessments have already been sent, click Mark complete to complete the send
assessments To Do task so that the next task in the engagement risk assessment project can start. Otherwise,
proceed to the next step.
4. To send assessments for this engagement, perform the following actions:
a. Check the assessments you want to send at this time. You can only check those assessments that are
currently available for sending. The assessments that you cannot send at this time are grayed out.
b. (Optional) To change the recipient for an assessment, click Change recipient, then check one or more of
the available recipients and click OK.
If an assessment has been set up to import responses, rather than send them to the supplier via SAP Ariba
Supplier Risk: when you "send" such an assessment, you are triggering the system to import the supplier's
response. You can't change the recipient in this case, so Change recipient is greyed out.
c. Click Send assessments.
5. (Optional) While you are sending assessments, if there is no supplier is selected for the engagement yet and
you want to select one now, perform one of the following actions:
• If your site is configured for advanced edit, edit the engagement request (advanced) [page 163] to add an
active supplier.
• If your site is not configured for advanced edit and you have not yet sent any assessments, edit the
engagement request (simple) [page 162] to add an active supplier. If you have already sent at least one
internal assessment, the engagement request is no longer editable.
• In the Add/Update Supplier area of the send assessments page, search for the active supplier you want to
add, then click Set Supplier.
6. Continue sending assessments using the steps above until you have sent all of the required assessments that
must be sent for the current engagement.
Results
If all of the required assessments were already sent in one or more previous engagements, marking the send
assessments To Do task complete completes the task. Otherwise, once you send all of the assessments that must
be sent for the current engagement, the send assessments To Do task completes automatically. In both cases, the
engagement risk assessment process moves to the next step.
SAP Ariba Supplier Risk automatically sends invitations to fill out the assessment questionnaires you sent to the
recipients you specified.
• If a questionnaire has multiple recipients, all recipients receive the invitation, and the first recipient to respond
fills out and submits the questionnaire.
• If an external assessment is set up to import responses, SAP Ariba Supplier Risk does not send notifications
to the supplier asking them to respond, because in this case we are importing a response that the supplier
The Risk Assessments area of the engagement page lists all of the assessments that you have sent up to this point
for the current engagement as well as all of the required assessments for the current engagement that were sent
for other engagements. You can click View to the right of an assessment questionnaire to view it.
If the engagement has any controls that are open but are associated with questionnaires that have already
been completed, control decision makers now see a Review button for them in the Risk Controls area of the
engagement page.
Next Steps
Recipients now fill out and submit the assessment questionnaires you sent. Once they have done so, depending on
how those assessment questionnaires are set up, approvers might need to approve their answers before control
decision makers can review any open controls and mark their effectiveness.
The external assessment questionnaires for all of the required controls in the current engagement risk assessment
project, including those that were already approved and those you sent in this step, are available on the
Questionnaires tile of the supplier 360° profile. Task owners and approvers can complete assigned tasks for
external assessment questionnaires there or by choosing Manage My Tasks .
Internal assessment questionnaires for the required controls do not show on the Questionnaires tile. Users who
have access to the engagement page can view them there. Users with the appropriate roles can view them on the
Home dashboard. Approvers can approve or deny them by choosing Manage My Tasks .
Related Information
About Modular Supplier Management Questionnaires in Control-Based Engagement Risk Assessment Projects
About Working with an Engagement While Updates Are in Process [page 169]
Managing an Engagement After an Update Processing Error [page 172]
How to Run the Engagement processing error report [page 274]
Prerequisites
To fill out a new internal assessment questionnaire for a control-based engagement risk assessment project, you
must be one of the following::
• A member of the internal modular supplier management questionnaire Internal Recipient project group.
• The engagement risk assessment project owner, if the Internal Recipient project group in the internal
modular supplier management questionnaire project does not have any members, or if the project does not
include an Internal Recipient group.
• A member of the Supplier Risk Engagement Governance Analyst global user group.
Context
In control-based engagement risk assessment projects for supplier or third-party engagement, every engagement
has at least one risk control. Risk controls are designed to mitigate or control particular types of risk, and each
includes one or more assessment questionnaires that a decision maker for the control uses to decide whether or
not the control is effective for a particular engagement. These assessment questionnaires can be external, meaning
that the supplier fills them out, or internal, meaning that people in your organization fill them out. If you have
been invited to fill out an internal assessment for a control-based engagement risk assessment project, you have
been identified as someone who can provide information that is necessary for making a decision about risk control
effectiveness for an engagement.
If you do not feel like you are the best person to fill out the assessment questionnaire, a user with appropriate
permissions can change the recipient [page 185].
Procedure
1. Open the internal assessment questionnaire by performing one of the following actions:
• Click the link in the email notification inviting you to fill out the questionnaire.
• In the To Do content item on the Home dashboard, click the name of the questionnaire to open the
engagement page. In the Risk Assessments area, click View to the right of the assessment.
• On the Home dashboard, click the context menu to the left of the search bar and choose SM Modular
Questionnaire, optionally enter a search term such as the name of the questionnaire, and click the search
Results
If there is an approval flow for the questionnaire, submitting it generates notifications letting approvers know
they must review your answers and approve or deny them. If there is no approval flow for the questionnaire, it is
approved automatically.
Next Steps
After all of the questionnaires associated with a risk control are approved, a risk control decision maker in your
organization reviews your answers again, along with the answers to other assessment questionnaires submitted by
the supplier or other people in your organization, and decides whether or not the associated risk control is effective
for the engagement.
Related Information
Requesting an Update or Changing the Recipient for a Modular Questionnaire [page 185]
Prerequisites
To request an update or change a recipient for a modular questionnaire, you must be a member of the SM Modular
Questionnaire Manager, Supplier Risk Engagement Expert, or Supplier Risk Engagement Governance Analyst
group.
You can't request an update while the questionnaire is in Pending Submission or Pending Approval status.
Context
Modular questionnaires can allow continuous updates or permanently close after the submitted answers are first
approved or denied. However, even if a modular questionnaire doesn't normally allow updates, requesting an
update reopens the questionnaire so that the recipient can update it once.
For external modular questionnaires, once a supplier contact has opened the questionnaire and viewed it, the
questionnaire is assigned to them and they're the only user in the supplier's SAP Business Network account who
can view or respond to it. Requesting an update and changing the recipient allows you to reassign the questionnaire
to a different supplier contact.
Internal modular questionnaires used as risk assessments in engagement risk assessment projects can include
an Internal Recipients project group. When you change recipients, members of that group show at the top
of the list of available recipients. Internal modular questionnaires in process projects don't use an Internal
Recipients project group, and available internal recipients show in alphabetical order.
In sites where the process project feature (SM-16798) is enabled, a process initiator who is also a member of the
SM Modular Questionnaire Manager group can also request a questionnaire update or change recipients when
creating or renewing a process.
In SAP Ariba Supplier Risk, a modular questionnaire used as a risk assessment can be set up to import supplier
responses. In this case, requesting an update triggers import of the supplier's current response, either from
SAP Business Network or your external system. You can't use Request Update to change the recipient of an
assessment for which responses are imported.
Procedure
• For an internal questionnaire, choose the current recipient or search for and select a different recipient.
• For an external questionnaire, leave the current recipient selected, search for and select a different supplier
contact or (if you have permission to add supplier contacts) add a new contact and choose them as the
recipient.
4. Optional: Enter a comment about the update request or questionnaire reassignment.
Results
The current or updated recipient receives an email notification inviting them to submit the questionnaire.
If the questionnaire is set up to generate reminders, requesting an update restarts the reminder schedule.
Related Information
Procedure
Tip
The name of the internal questionnaire project associated with the task does not tell you which supplier is
involved in the control-based engagement risk assessment, but you can see the supplier name when you
view task details.
3. Click the name of the task and choose Action View Task Details .
4. Review the answers.
5. In the top right corner of the page, perform one of the following actions:
Caution
Do not click Request additional info. If you request additional information, the approval cannot restart
until the recipient resubmits the questionnaire. However, there is currently no way for the recipient to
update the questionnaire after the initial submission. Requesting additional information therefore causes
the questionnaire to become stuck in Pending Approval status, the associated control review cannot start,
and the control-based engagement risk assessment becomes stuck. Always either approve or deny the
questionnaire.
Results
If you are the final approver, the questionnaire status is now Approved or Denied. If not, the questionnaire remains
in Pending Approval status until the final approval or denial.
Prerequisites
The enhancements to engagement task management feature (ARI-6919) must be enabled in your site.
You can only assign control review tasks, and To Do tasks on supplemental engagement questionnaires, in control-
based engagement risk assessment projects. You cannot assign standalone To Do tasks, including the To Do task
for sending assessments.
To assign or reassign a control review task or a To Do task on a supplemental engagement questionnaire, you must
be a decision maker for the control (for control review tasks) or a task owner (for To Do tasks) or a member of the
Supplier Risk Engagement Governance Analyst group.
You can only assign a control review task if the control decision maker is a project group.
To be eligible to be assigned a control review task, you must be a member of the project group defined as its
decision maker. To be eligible to be assigned a supplemental engagement questionnaire as part of a To Do task, you
must be a member of the project group that owns the task.
If you are a control decision maker for a control review task or the owner of a supplemental engagement
questionnaire To Do task in an engagement project, or a member of the Supplier Risk Engagement Governance
Analyst group, you can assign or reassign the task. Task assignments allow task owners to ensure that the
individual who is in the best position to act on the task sees it in their Action queue (if that feature is enabled) and
is assigned the task on the engagement page.
You have the following options for assigning or reassigning these tasks:
Assign the task to yourself You are the best person to act on the task.
Assign or reassign the task to another person A task is not currently assigned to an individual person or is as-
signed to you. You can assign or reassign it to another member
of the project group that owns the task to give them exclusive
access to it. This option is useful when:
Reassign the task to the project group A task is assigned to you. You can reassign it back to the entire
project group that owns the task so that any member of the
group can act on it. This option is useful when:
• You have been assigned a task and don't know exactly who
is in a better position to act on it.
• You are collaborating on a supplemental engagement
questionnaire, have saved your own edits to it, and want to
let anyone in the group work on it next.
You can assign or reassign tasks from several pages, depending on the task type and your role.
Action queue *
* If this feature is enabled as described in Optional Features for Control-based Engagement Risk Assessments in Setting Up SAP
Ariba Supplier Risk.
Note
Control reviews are sometimes shared between engagements, and the decision maker group (and thus the list
of possible assignees) might differ between engagements. Therefore, while you can access a control directly
from the Action queue or the control list page, if those features are enabled, assigning or re-assigning can only
be done when accessing the control review task directly from the engagement. This makes clear which users
are candidates to be assigned.
Procedure
For control review tasks, you can also click View or Review in the Risk controls area.
d. To assign the task to yourself, click Assign to me, enter an optional comment to explain the assignment,
and click OK.
e. To assign the task to another person or back to the project group, click Assign, choose the user or group,
enter an optional comment to explain the assignment, and click OK.
• To assign or reassign tasks from the engagement task list:
a. Click the Engagement Requests link on the Supplier Risk dashboard and locate the engagement.
b. Under My tasks/Group tasks, click the number of tasks assigned to you or to the project group to open
the engagement task list.
c. Locate the task you want to assign.
d. To assign a task to yourself:
1. Select the checkbox to the left of the task.
2. Choose Assign to me.
3. Enter an optional comment to explain the assignment, and click OK.
e. To assign the task to another person or back to the project group:
1. Select the checkbox to the left of the task.
2. Choose Assign.
3. Choose the user or group.
4. Enter an optional comment to explain the assignment, and click OK.
• To assign or reassign a To Do task from the Action Queue:
a. Click the Actions tile on the Supplier Risk dashboard and locate the action for this To Do task.
b. Click the To Do task name link.
c. To assign the task to yourself, choose Assign to me, enter an optional comment to explain the assignment,
and click OK.
Results
To Do task: If you assigned the task to yourself, you are now the only person who can act on it. If you assigned or
reassigned an individual person to a To Do task, they are now the only person who can act on it and they receive an
email notification letting them know about the assignment. If you reassigned the task back to the project group, all
members of the project group can now act on the task and they all receive an email notification telling them about
the reassignment.
Control review task: If you assigned the task to yourself, the task is assigned to you in the task list on the
engagement page. If you assigned or reassigned the task to another individual person, they now see the task as
assigned to them on the task list for the engagement, and they receive an email notification letting them know
about the assignment. If you reassigned the task back to the project group, they all receive an email notification
telling them about the reassignment.
• If your site has control review workflow enabled: Control review assignment to an individual is not exclusive.
Any member of the decision maker group for the control can act on it, whether assigned to an individual or to
the group.
• If your site does not have control review workflow enabled: Control review assignment to an individual is
exclusive. Only the assigned individual can act on the control review.
Related Information
Viewing and Managing Your Tasks for an Engagement Risk Assessment Project [page 154]
Optional Features for Control-based Engagement Risk Assessments
Prerequisites
To fill out and submit a supplemental engagement questionnaire, you must be an owner of its To Do task.
Your control-based engagement risk assessment process might use supplemental engagement questionnaires
in the engagement request phase, the phase where evidence collection starts, or the final approval phase. Your
organization might use these questionnaires for compliance, reporting, monitoring, confirmations that you have
performed tasks outside of SAP Ariba Supplier Risk, or for other purposes.
Depending on how the To Do task for filling out the questionnaire is set up, you might be the sole person assigned
to fill out the questionnaire, or you might be a member of a group that has been assigned to the task. In either
case, you can fill out the questionnaire and save or submit it. If you save the questionnaire, the To Do task remains
open and you or another task owner can complete it and submit it at another time. Submitting the questionnaire
completes the To Do task and starts any approvals for the questionnaire.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, then click the
In Progress tile.
2. Locate the engagement and click its name.
3. In the Pending Tasks list, locate the To Do task for the supplemental questionnaire and click Start.
4. Fill out the questionnaire.
5. Perform one of the following actions:
Results
If you saved the questionnaire, the To Do task remains active. You or another task owner can click Start for the
questionnaire To Do task to continue filling out the questionnaire at any time. The task remains open to all task
owners, and the questionnaire remains editable, until a task owner submits it.
If you submitted the questionnaire, the To Do task is complete and the questionnaire is no longer editable. If there is
an approval task for the questionnaire, it starts now.
Next Steps
If an approver requests more information, you can edit the questionnaire again by clicking Start for its To Do task.
Context
Approving or denying a supplemental engagement questionnaire does not directly affect the status of the control-
based engagement risk assessment project, but it does reflect whether or not you find the answers acceptable. The
approval status of a supplemental questionnaire can factor into the approval or denial of an engagement request
or the overall engagement risk assessment project. With approvals for supplemental questionnaires, you can also
request more information from the respondents instead of approving or denying the questionnaire.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, then click the
In Progress tile.
2. Locate the engagement and click its name.
3. In the Pending Tasks list, locate the approval task for the supplemental questionnaire and click Approve/
Deny.
4. On the approval task details page, review the questionnaire answers and perform one of the following actions:
• To approve the questionnaire, click Approve, enter an optional comment about your approval, and click
Confirm.
• To deny the questionnaire, click Deny, enter a comment about your denial, and click Confirm.
• To ask the respondent to provide more or different information, click Request more info, enter a comment
specifying your request, and click Confirm.
Results
If you denied the questionnaire, the approval flow stops. If you approved the questionnaire and you are not the
final approver, the approval flow continues. If you approved the questionnaire and you are the final approver, the
approval task completes. Any comments you added during approval show in the Approval history area of the
approval task details page.
Next Steps
Approvers and members of the Supplier Risk Engagement Governance Analyst group can change the approval
decision by resubmitting the approval under the following circumstances:
• For supplemental engagement questionnaires in the engagement request, trigger evidence collection and
controls, or final project approval phase, if the questionnaire is denied and the engagement risk assessment
project is not completed or canceled.
• For supplemental engagement questionnaires in the post-project approval phase, if your site uses one, if the
questionnaire is either approved or denied and the post-project approval phase is still in progress.
To resubmit a completed approval, on the Completed Tasks tab of the engagement page, click View to view the
approval task details, then click Resubmit. Resubmitting the approval task starts the approval flow over again from
the beginning. Once it is restarted, approvers can make a different approval decision or request more information
so that questionnaire To Do task owners can edit the questionnaire again.
Related Information
How to Fill Out and Submit a Supplemental Engagement Questionnaire [page 191]
Prerequisites
Any user who can view an engagement or a risk control can create an issue for it.
You can assign new issues to any member of the Supplier Risk User, Supplier Risk Manager, Supplier Risk
Engagement Requestor, Supplier Risk Engagement Analyst, or Supplier Risk Engagement Governance Analyst
groups.
The issue only includes a Residual Risk field if residual risk is set up in your site.
You can create an issue for a control-based engagement risk assessment project at any point from the time the
request is initially approved, except when it is in status Complete, Archive pending, or Archived.
You can create an issue for an individual risk control if it is required in at least one engagement request for the
supplier and if the control review task's status is active.
• If the control has not previously been reviewed for the supplier, the review task becomes active once
assessments are sent. It's at this point that the row for this control in the Risk controls section of the
engagement page shows a View or Review button.
• The control remains active from that point forward. You can raise an issue regardless of the control's status.
• The control would cease to be active if all engagements for this supplier that required this control were
Canceled or Archived.
Issue forms include a standard set of questions about the issue name, description, assignee, severity, and due date.
They might also include a question about the issue probability. However, the specific wording of these questions
and the other questions in the issue form are defined by your organization's issue management process.
Procedure
1. To start an issue for an engagement: open the engagement and in the upper right corner of the page, choose
Action Create issue .
2. To start an issue for an individual risk control:
a. Open the control page.
• Open an engagement for which this control is required. In the Risk controls area, click View or Review
for the control.
• If your site has control review workflow enabled, you can open the control from the controls list page.
b. On the control page, click Create issue.
Note
For service-type controls: If your site has control review workflow enabled, the control details page
shows a list of services for the control. Locate the relevant service and in that row, click Action
Create issue .
3. Enter information on the Create issue page as defined by the issue management project template.
4. Click Submit.
Results
Submitting the issue creates an issue management project in Draft status and starts its workflow. If your site has
set up residual risk ratings, the Residual Risk field [page 136] on the issue page shows the residual risk of the issue
based on the severity and probability you selected. Depending on your site's residual risk configuration, this issue
might also influence the Residual Risk shown on the engagement page.
You can view the issue, its process flow, and its tasks by clicking the Issues tile on the Supplier Risk dashboard or
by finding it in the Issues section on the engagement page. These actions show both engagement-level issues and
issues raised for specific controls.
Related Information
How to Review a Pending Control for Effectiveness Using the Control Review Page [page 228]
How to Define, Analyze, or Resolve an Issue for a Control-Based Engagement Risk Assessment [page 196]
The Control-Based Engagement Risk Assessment Process [page 114]
How to Add Approvers or Reviewers to a Legacy Engagement Risk Issue [page 325]
Viewing and Managing Control-Based Engagement Risk Assessment Projects [page 120]
The Issue Management Process for Risk Controls and Control-Based Engagement Risk Assessment Projects [page
117]
About Residual Risk for Control-Based Engagement Risk Assessments [page 136]
Prerequisites
If you are a task owner, reviewer, or approver for an issue task, but you don't otherwise have permission to work
with control-based engagement risk assessments, you can view and add comments to the issue, but you cannot
view the associated control-based engagement risk assessment project. Anyone who has permission to view the
issue can also view details for any of its completed tasks. To edit the issue, you must be either a member of its
Project Owner project group, an assignee, or a member of the Supplier Risk Engagement Governance Analyst
group.
If your organization's issue form uses access control to restrict who can edit specific sections of the issue form, you
must not only have permission to edit the issue but also have access to the section or sections you want to edit.
To complete an issue-related task, you must be a task owner (for To Do tasks) or be one of the users assigned to its
review or approval flow (for review and approval tasks).
The issue only includes a Residual Risk field if residual risk is set up in your site.
Your organization's issue management process [page 117] includes steps for raising the issue, defining and
analyzing it, proposing a resolution, and approving the resolution. Its tasks assign these steps to various relevant
stakeholders, who receive email notifications when their assigned tasks start. If you are assigned to a task for an
issue, and that task is currently active, you can click a button next to it in the Tasks table to complete it.
Your company's issue management process defines the owner of all issue management tasks before the issue is
assigned. After assignees are specified for the issue, they automatically becomes the owner of all of the issue's
incomplete tasks. The owner of a To Do task completes the task. The owner of an approval or review task is not
necessarily the approver or reviewer, unless they are also added explicitly to the approval or review flow; however,
the owner of an approval task can resubmit a denied approval task so that the approval flow restarts.
Depending on your role in the issue management process and your permissions, you might edit the issue to add
more information, correct existing information, add comments, attach a document such as a remediation plan or a
waiver, adjust the severity and probability (and therefore the residual risk), or assign the issue to another person at
your company before completing your task. Each task in the workflow must be completed before the next task can
start. The issue cannot close until all of its tasks are completed.
The issue page includes a process flow diagram that shows all of the tasks in the workflow, with color coding to
indicate tasks that have been completed. You can hover a mouse over any incomplete To Do task in the flow to see
its owner, and any incomplete approval or review task in the flow to see its currently active approver or reviewer.
If the site configuration parameter Require issue completion for final engagement project approval
(Application.SR.Engagement.RequireIssueCompletionForProjectApproval) is enabled in your site,
approvers cannot approve or deny an engagement risk assessment project until all associated issues have a status
of Resolved.
Procedure
The Comments area shows your new comment at the top of the comment list.
3. If you need to edit the issue and have permission to do so, perform the following actions:
a. At the top of the issue page, click Edit.
b. Add or modify information in any of the editable fields as needed.
• For a To Do task, click Mark Complete, then click Yes to confirm that you want to complete the task.
• For a review task, click Complete Review. On the Issue Task Detail page, enter any review comments you
might have, click Confirm Review Complete, and click Done to return to the issue page.
• For an approval task, click Approve/Deny On the Issue Task Detail page, click Approve or Deny, enter
explanatory comments, click Confirm, and click Done to return to the issue page.
Results
The issue management process flow at the top of the issue page updates to show the completed task, and the
next task in the issue management workflow starts automatically. Users with permission to view the issue can click
View next to any completed task to view its details, which include any comments that reviewers or approvers added
when completing review or approval tasks.
If your task is the last for its phase of the issue management workflow, the next phase automatically starts, and the
status of the issue moves forward.
Complete the final task in the Issue defi- Ends: Issue definition phase Open
nition phase
Starts: Issue analysis phase
Complete the final task in the Issue anal- Ends: Issue analysis phase In Progress
ysis phase
Starts: Issue resolution phase
Complete the final task in the Issue reso- Ends: Issue resolution phase Resolved
lution phase
Starts: Issue resolution acceptance
phase
phase
phase
If your site has set up residual risk ratings and you specified or edited the issue severity or probability, the Residual
Risk field [page 136] on the issue page shows the residual risk of the issue based on the severity and probability
you selected or updated. Depending on your site's residual risk configuration, this issue might also influence the
Residual Risk shown on the engagement page.
If an approval task is denied and you are its owner, you can restart it by choosing Actions Resubmit in
the Tasks area, clicking Resubmit on the Issue Task Detail page, entering any optional comments and clicking
Confirm Resubmit, and clicking Done. The approval flow then restarts, and approvers can reevaluate the issue and
either approve it this time or deny it again.
Related Information
The Issue Management Process for Risk Controls and Control-Based Engagement Risk Assessment Projects [page
117]
How to Raise an Issue for a Control-Based Engagement Risk Assessment or One of Its Risk Controls [page 194]
How to Add Approvers or Reviewers for an Issue in a Control-Based Engagement Risk Assessment Project [page
201]
The Control-Based Engagement Risk Assessment Process [page 114]
How to Manage Team Membership of the Assignee Project Group in an Issue Management Project [page 199]
Require issue completion for final engagement project approval [page 395]
Require issues for ineffective risk control decisions [page 396]
About Residual Risk for Control-Based Engagement Risk Assessments [page 136]
Prerequisites
The issue management project template in your site must include an Assignees project group.
If the site configuration parameter Enable assignee team management on issue projects
(Application.SR.IssueManagement.ManageIssueAssigneeTeam) is disabled, the button for managing the
assignee team isn’t available in the upper right corner of the issue page.
To add or remove team members in the issue assignee project group, you must already be a member of the
assignee or Project Owner project group in the issue management project.
You can add or remove any global user group or any member of the following groups from the issue assignee
project group:
Context
Issue assignees are typically responsible for analyzing and resolving the issues associated with control-based
engagement risk assessment projects or with their risk controls. They automatically have permission to view the
issue and to edit any parts of the issue form that aren't restricted by access control. They can also add or remove
other team members and system groups from the issue assignee group.
You can add or remove team members and global user groups from the assignee project group on the issue form.
Note
Members can't remove themselves (the currently logged in user), or the explicit issue assignee.
Adding or removing global user groups, adds or removes the group. Example: USER_A is a team member of
the assignee project group individually and is also a member of GROUP_B global user group. If GROUP_B
is removed from the assignee project group, the individual team member, USER_A, isn't removed. Only the
GROUP_B global user group is removed.
Procedure
1. On the Supplier Risk dashboard, click the Issues link, then click the issue name.
2. In the upper right corner of the issue page, click Manage team.
Note
You won’t see the Manage team button if the issue management project template doesn’t have an
Assignees project group.
3. On the Manage team popup, click the pencil icon ( ) next to Assignee team, search for the people or global
user groups that you want to add to the assignee project group for the issue, and select them. Uncheck those
that you want to remove.
4. When you’re done, click Save and then Confirm.
Results
The team members and global user groups you added or removed in the issue assignee group receive email
notifications letting them know that they were added to or removed from the group. If they were added, they can
now view the issue, perform any tasks assigned to the group, edit any section of the issue form to which the group
is granted access, and add other team members to the issue assignee group.
Prerequisites
To add approvers to an approval task or reviewers to a review task in an issue, you must be a member of the issue's
Project Owner group as defined in your site's issue management project template.
You can only add approvers or reviewers to an issue management task if there are no approvers or reviewers
defined for it in the project template.
Context
You can add either individual users or system user groups such as Supplier Risk Engagement Analyst as
approvers or reviewers. If you choose a user group, the first member of the group to respond reviews, approves, or
denies the issue. If you select multiple users or groups, they are all added as parallel nodes in the approval or review
flow and they must all approve or review the issue.
Procedure
• Supplier Risk dashboard, navigate to the Engagement Requests In Progress tile, click the name of
the engagement with which the issue is associated to open the engagement page, then click the flag icon
( ) next to the engagement’s name and choose the issue name from the dropdown menu.
• If you are the person who created the issue, the assignee, or a member of the Supplier Risk Engagement
Governance Analyst group, on the Supplier Risk dashboard, click the Issues link, then click the issue
name.
2. In the Pending Tasks list, locate the approval or review task and click Add Approver or Add Reviewer.
3. Check the users and groups you want to add.
4. Click Update.
The users or user groups are added to the approval or review flow. The users and individual members of the groups
receive notifications letting them know that they must complete the task.
Related Information
Prerequisites
Your site must be set up to use the default method of calculating engagement residual risk. In sites configured
instead to calculate engagement-level residual risk by risk domain, there is no ability to change the engagement-
level residual risk manually. Residual risk values in these sites are automatically updated based on the issues,
findings, or effectiveness levels for controls associated with the engagement.
Residual risk in control-based engagement risk assessment projects must be set up in your site, and your site must
be configured to allow changes to the original residual risk rating.
To view the residual risk of an engagement, you must have permission to view that engagement.
To change the residual risk rating of an engagement project, you must be a member of its Project Owner project
group or of the Supplier Risk Engagement Governance Analyst global user group.
By default, you can edit the residual risk if the engagement has at least two associated issues or findings with
different residual risk ratings. Sites can also be configured to remove this restriction.
The residual risk for an engagement shows in the Residual Risk field in the Engagement Summary area of the
engagement page. This field only shows a value if the engagement has at least one associated issue with a risk
rating or a finding with a business impact value. An engagement can have an issue or finding because someone
has raised an issue or finding directly for the engagement or one of its controls, or because someone has raised an
issue or finding for one of its service- or vendor-level controls in another engagement. If the engagement does not
have any issues or findings, the Residual Risk field is blank.
If a residual risk value has been calculated for an engagement, and your site allows it, you can change the
engagement project's residual risk rating. The number of levels you can change the rating either up or down is
determined by your site's configuration. If the engagement does not yet have a residual risk rating, there is no way
to edit the Residual Risk field to set it manually.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, then click the
In Progress tile
2. Locate the engagement and click its name to open it.
3. Perform the following actions:
Results
On the engagement page, the Residual Risk field shows the rating you chose as the current residual risk rating for
the engagement project.
The residual risk change history records your change. You can click History to see the entire change history for the
residual risk rating of the current engagement project, including any related comments.
Related Information
About Residual Risk for Control-Based Engagement Risk Assessments [page 136]
Define the amount of change allowed for engagement residual risk ratings [page 359]
Restrict editing of residual risk ratings based on engagement issues [page 399]
About Engagement-Level Residual Risk
Prerequisites
If the site configuration parameter Require issue completion for final engagement project approval
(Application.SR.Engagement.RequireIssueCompletionForProjectApproval) is enabled in your site,
you cannot approve or deny an engagement risk assessment project until all associated issues have a status
of Resolved.
Context
Once control decision makers have reviewed all of the open controls associated with an engagement, it is in In
Progress status for the project approval phase.
The Approval Flow area of the engagement page includes decision nodes for all of its control reviews. If a control
is marked ineffective, the control decision maker might have raised an issue for it. You can review all of the issues
raised for the engagement and their resolutions in the Risk Issues area.
Depending on your organization's standards and processes, you might approve an engagement risk assessment
project with one or more ineffective controls if it merits an exception or has a related issue that is resolved to your
satisfaction.
Procedure
Results
If all of the approvers approve the engagement and there are no more tasks in the project approval phase, the
engagement moves to Completed status. If an approver denies the engagement, it moves to Request Denied
status.
Next Steps
If the engagement is denied but the engagement is not yet in Completed status because the project approval
phase includes tasks that have not yet been completed, and you are either an approver or a member of the
Supplier Risk Engagement Governance Analyst group, you can resubmit the approval. Resubmitting the approval
restarts the approval flow from the beginning so that approvers can make a different decision. To resubmit the
approval, on the engagement page, click View to open the approval task details page, then click Resubmit.
Related Information
Viewing and Managing Risk Controls Using the Control Details Page [page 208]
How to Change the Expiration Date of a Control Review Decision [page 214]
How to Review a Pending Control for Effectiveness Using the Control Details Page (Two Levels) [page 215]
How to Review and Set the Effectiveness Level for a Risk Control or Service (Five Levels) [page 219]
How to Review a Pending Control for Effectiveness Using the Control Review Page [page 228]
The Controls list page is a central place for viewing and interacting with risk controls. Tabs list all controls for which
the current user is a decision maker and the subsets of controls requiring action from the current user or a decision
maker group to which they belong.
The Controls tile and list page apply to sites in which the Action queue and periodic review of risk controls are
enabled. In sites where those features are not enabled, decision makers access controls via the engagements in
which they are required. For more information on the required setup, see Setting Up Control Review Workflow in
Setting Up SAP Ariba Supplier Risk or Setting Up Control Review Workflow.
The Controls tile on the Supplier Risk dashboard shows the number of controls for which you belong to the
decision maker group. Clicking on the Controls tile takes you to the Controls list page.
Here you can see the expiration date, status, and other information about each control.
• All: shows all controls for which you belong to the decision maker group
• My actions: shows all control actions assigned specifically to you
• Group actions: shows all controls needing action, for which a user group to which you belong has
decisionmaking responsibility
Use the Refresh link to update the list. For example, a control's status may have changed while you have been
reviewing the page.
You can show or hide columns on this page using the table-column icon at upper right, next to the Refresh link.
Column Description
Click the name link to display the control detail page [page
208] for this control.
Expiration date Expiration date for the control review decision. If it does not
have an expiration date, the phrase No date set appears here.
Review decision For Vendor- or Engagement- type controls, this shows the de-
cision or, if there is no decision, the status:
Risk type From the risk control definition. In sites set up to calculate
residual risk by risk domain, the Risk type associated with a
control is its risk domain.
Regulator mandate Yes or No: whether this risk control addresses a regulatory
requirement.
Related Information
Viewing and Managing Risk Controls Using the Control Details Page [page 208]
How to Review a Pending Control for Effectiveness Using the Control Details Page (Two Levels) [page 215]
The control details page collects in one location both summary and usage information for a control. From this page
you can take needed action on the control, such as providing a review decision, extending its expiration date, or
resending assessments to the supplier.
Prerequisites
As a member of its decision maker group, you can access the detail page for a control in several ways:
• From the Controls list page [page 206], click on the name of the control.
• From the Action Queue, click on the name of a control that requires action.
• From the engagement page:
• In the Tasks area: click Start to work on a control review task.
• In the Controls area: click View or Review to work with the control for that row.
• From the engagement task list:
1. On the engagement list page, click on the My tasks or Group tasks link.
2. Find the relevant control review task and use the Action icon at right to choose View this task or Start this
task.
The top of the page shows summary information about the control. The lower portion shows additional information
depending on the type of control.
Activities
The actions you can take from this page depend on the control type and its state: whether the control review
decision is expired or about to expire, for example, and whether it already has or needs a decision.
Reopen the control review Use when the control review is expired Choose Action Reopen control
or soon to expire, to make it available for
review or click the reopen link in the
re-review. Can also be done as needed
reminder message above the control's
outside of the periodic review cycle, for
header information. As part of this ac-
any Completed control review.
tion, you can optionally resend all assess-
ments.
Change the expiration date for the con- When the control review is not Waiting
Choose Action Change expiration
trol review for response or Pending
date . If the control review is expired
or soon to expire: you can also click the
set a new expiration date link in the
reminder message above the control's
header information.
Mark the control Effective or Ineffective When the control review is available for From the Action dropdown, choose Mark
a decision, and the site is configured for
as effective or Mark as ineffective. For a
two levels of control effectiveness. If wait-
vendor- or engagement-level control, you
ing for a supplier's assessment response,
for example, this would not be possible. can specify an expiration date as part of
An expired control review must first be this action.
reopened to make it available for a deci-
To change the expiration date of a
sion.
service-level control, use Action
Set the effectiveness level for a control or When the control review is available for From the Action dropdown, choose Set
service a decision, and the site is configured for
effectiveness level. For a vendor- or en-
expanded levels of risk control effective-
gagement-level control, you can specify
ness.
an expiration date as part of this action.
Skip the control review When the control review is available for From the Action dropdown, choose Skip
a decision, and the site is configured to
control review. This displays a dialog
allow skipping a control review.
where you can choose a reason for skip-
ping and optionally attach a supporting
document.
Create an issue for a control or service When the risk control is required in at For a vendor- or engagement-level con-
within a control least one engagement request for the
supplier and the control has a review trol, choose Action Create issue
task, and the site is configured to use to open the Issue definition page. For
issue management projects a service-level control, use the Action
dropdown in the Services detail section
of the page.
Create a finding for a control or service When the risk control is required in at For a vendor- or engagement-level con-
within a control least one engagement request for the
trol, choose ActionCreate finding. For
supplier and the control has a review
a service-level control, use the Action
task, and the site is configured to use
findings instead of issues dropdown in the Services detail section
of the page.
Review the control's Residual Risk rating Residual Risk is shown here if: Display of the Residual risk field de-
in the summary area of the page
pends on the residual risk calculation
• Your site is configured to calculate
method.
residual risk by risk domain
• You access this page from the en- • If using the Control Effectiveness
Multiple tabs allow you to see additional information about a vendor- or engagement-level control..
Issues or Findings Issues and findings associated with this Click the issue or finding Title link to nav-
control, including the due date, status,
igate to the corresponding detail page.
and assignee for each. The tab's label de-
pends on whether the findings feature is
enabled in your site. If both issues and
findings exist, both are shown.
History Lists the history of decision maker ac- View a history of actions taken for this
tions related to this control, for example: risk control.
• Mark as effective
• Change expiration date
Engagements (Vendor-level controls Engagements for this supplier that re- Click an ID link to navigate to the engage-
only) quire this risk control. Shows detail such ment page for one of the engagements.
as the Owner, requestor, and current sta-
tus of the engagement.
Service-level controls
For these controls, you see a list of included services followed by information about the control's underlying
assessments.
Services A list of services for this control. Shows View issues or findings related to a spe-
the current review decision, if there is
cific service, by clicking the link in the
one, and other service-specific details for
Issues or Findings column.
each service.
View engagements to which this serv-
ice applies, by clicking the link in the
Engagement column.
Related Information
A decision maker can change the expiration date for a control review.
Prerequisites
The control details page, where you change the expiration date, applies only to sites in which periodic review of risk
controls is enabled.
To change the expiration date of a control review, you must be specified as a decision maker for the control in the
control definition master data for your site.
Context
You can change the expiration date for a control review in status Completed, Expiring soon, or Expired.
Procedure
The Control details page opens. The top of this page shows the name of the control with a status badge to
the right. The upper portion of the page shows summary information about the risk control. The lower portion
• If the control is Expired or Expiring soon, a message near the top of the page offers links allowing you to
reopen it or to set a new expiration date. Click the link for set a new expiration date.
• Choose Action Change expiration date .
Related Information
Prerequisites
To review a pending control and mark it as effective or ineffective, you must be specified as a decision maker for the
control in the control definition master data in your site.
The control details page applies to sites in which periodic review of risk controls is enabled: the parameter Enable
control review workflow (Application.SR.Engagement.EnableControlReviewWorkflow) is set to Yes. In
sites where that feature is not enabled, decision makers use the Control review page [page 228] instead.
Context
• If the supplier has submitted an initial response to one of its associated questionnaires, or the control includes
internal assessments. This could be true for a new engagement request or when a control is added to an
engagement via change request or a periodic or ad hoc review.
• If the supplier has updated one of the control's underlying assessments. The assessment might have expired,
the buyer might request an update for some other reason, or the supplier might have updated an "always
open" assessment..
• When a decision maker reopens a control review that is Completed, Expiring soon, or Expired.
• For an engagement-level control:
• In each new engagement request
• When a significant change is made via advanced edit, change request, or review.
• For a service-level control: if at least one of its services was not included in a prior review
Reviewing a pending control for effectiveness involves reviewing the answers to the approved questionnaires
and marking the control or services as effective or ineffective based on those answers. Depending on how your
organization sets up and manages risk controls, you might be the decision maker for one or more controls; one
control might use one or more questionnaires; and one or more controls might include the same questionnaires.
A review for a vendor- or service-level control might be pending in multiple engagement risk assessment projects
at the same time. If it is, you can review it from any project where it is pending. Since different engagement risk
assessment projects can have different combinations of services for the same service-level control, however, you
might have to complete a service-level control review in a specific engagement risk assessment project to review all
of its services.
A decision maker for a control needing review can also access it from the Action queue or from the controls list
page [page 206], if the control review workflow feature is enabled.
Your organization might use issues or findings to document the process of arriving at an ineffective decision for a
control. Depending on your site's configuration, if you try to mark a control as ineffective and it does not already
have at least one issue or finding associated with it, you might see a warning, or you might be required to create
one before you can mark thecontrol as ineffective.
Procedure
The Control details page opens. The top of this page shows the name of the control with a badge to the right
indicating its status. The upper portion of the page shows summary information about the risk control. The
lower portion displays further detail (assessments, issues, engagements, history of the control) depending
on the type of control and how you accessed the page. For service-level controls, it lists each of the relevant
control services.
Note
For a service-type control, the list of services may differ depending on how you accessed the control details
page.
• From an engagement: all services for that control that are relevant to that engagement.
• From the controls list page or Action queue: all services for that control.
2. To review the underlying assessments for the control: On the Assessments tab, click the expand icon ( ) to the
left of an assessment name, to see questions and responses.
Tip
An assessment with a new response shows a blue dot to the left of the questionnaire name.
If your site is configured to allow this and the assessment does not yet have a response, you can choose to Skip
the response. This allows the engagement workflow to move forward without a response to this assessment.
3. (Optional) To create an issue or finding:
• Vendor- or engagement-level controls: Click Create issue or Create finding in the top right corner of the
page.
• Service-level controls: In the row for the specific service to which the issue applies, open the Action
dropdown and choose the Create issue or Create finding option.
Note
Your site may be configured to require an issue or finding when marking a control or service as Ineffective.
In this case, if no issue or finding currently exists, you must create one before you can proceed.
Note
If control decision makers are reviewing a control that includes the same service in two different
engagement risk assessment projects, when the decision maker marks the service as effective or
Results
For engagement- and vendor-level controls, the Review decision field now shows the new decision for this control.
For service-level controls, it shows the status of Completed if all services have effectiveness decisions.
On the engagement page, the Approval Flow area shows effective controls in green and ineffective controls in
yellow.
After control owners have reviewed all of the pending controls in an engagement risk assessment project and
marked them as effective or ineffective, tasks related to final approval for the engagement start.
If the control is pending in multiple engagement risk assessment projects, those projects update to show the
control effectiveness status and the completed date for the review. In cases where the control review you just
completed was also the final pending control review for another engagement risk assessment project, tasks related
to final approval for that engagement also start.
Next Steps
To re-review a completed control to change your effectiveness decision, first reopen the control review [page 226].
Related Information
In a site configured for five levels of control effectiveness, use the control details page to review a pending risk
control assigned to you and set its effectiveness level. These effectiveness decisions help approvers determine the
level of risk this engagement poses to the organization, and whether to approve it.
Prerequisites
To set the effectiveness level for a risk control, you must be specified as a decision maker for the control in the
control definition master data in your site.
Your site must have the control review workflow feature enabled.
Your site must have the expanded levels of risk control effectiveness feature enabled.
Context
In a control-based engagement risk assessment project, each control has one or more assessment questionnaires.
Each assessment questionnaire is a separate modular supplier management questionnaire that might have its own
approval process. You only review a control for effectiveness once all of its associated questionnaires are approved.
• If the supplier has submitted an initial response to one of its associated questionnaires, or the control includes
internal assessments. This could be true for a new engagement request or when a control is added to an
engagement via change request or a periodic or ad hoc review.
• If the supplier has updated one of the control's underlying assessments. The assessment might have expired,
the buyer might request an update for some other reason, or the supplier might have updated an "always
open" assessment..
• When a decision maker reopens a control review that is Completed, Expiring soon, or Expired.
• For an engagement-level control:
• In each new engagement request
• When a significant change is made via advanced edit, change request, or review.
• For a service-level control: if at least one of its services was not included in a prior review
Reviewing a pending control for effectiveness involves reviewing the answers to the approved questionnaires and
setting an effectiveness level based on those answers. Depending on how your organization sets up and manages
risk controls, you might be the decision maker for one or more controls; one control might use one or more
questionnaires; and one or more controls might include the same questionnaires.
A review for a vendor- or service-level control might be pending in multiple engagement risk assessment projects
at the same time. If it is, you can review it from any project where it is pending. Since different engagement risk
assessment projects can have different combinations of services for the same service-level control, however, you
A decision maker for a control needing review can also access it from the Action queue or from the controls list
page [page 206].
Your organization might use issues or findings to document the process of arriving at an ineffective decision for a
control. Depending on your site's configuration, if you try to mark a control as Completely ineffective and it does
not already have at least one issue or finding associated with it, you might see a warning, or you might be required
to create one before you can mark the risk control as Completely ineffective.
Procedure
The Control details page opens. The top of this page shows the name of the control with a badge to the right
indicating its status. The upper portion of the page shows summary information about the risk control. The
lower portion displays further detail (assessments, issues, engagements, history of the control) depending
on the type of control and how you accessed the page. For service-level controls, it lists each of the relevant
control services.
Note
For a service-type control, the list of services may differ depending on how you accessed the control details
page.
• From an engagement: all services for that control that are relevant to that engagement.
• From the controls list page or Action queue: all services for that control.
2. To review the underlying assessments for the control: On the Assessments tab, click the expand icon ( ) to the
left of an assessment name, to see questions and responses.
Tip
An assessment with a new response shows a blue dot to the left of the questionnaire name.
Note
Your site may be configured to require an issue or finding when marking a control or service as Completely
ineffective. In this case, if no issue or finding currently exists, you must create one before you can proceed.
4. To set the effectiveness level for a control review decision for a vendor- or engagement-level control:
a. In the top right corner of the page, click Action and choose Set effectiveness level.
b. Choose one of the options for the effectiveness level.
Note
If your organization requires at least one issue for controls that are marked as Completely ineffective:
if you select that option and the control doesn't already have an issue, you must create one now, before
you can proceed. Choose Create issue; submitting the issue will bring you back here to finish.
Note
If control decision makers are reviewing a control that includes the same service in two different
engagement risk assessment projects, when the decision maker chooses an effectiveness level, both
engagement pages show that decision. This is true regardless of how you accessed the control. Keep in
mind, however, the possible differences in the list of controls noted in Step 1.
Note
If your organization requires at least one issue for controls that are marked as Completely ineffective:
if you select that option and the service doesn't already have an issue, you must create one now, before
you can proceed. Choose Create issue; submitting the issue will bring you back here to finish.
For engagement- and vendor-level controls, the Review decision field now shows the new decision for this control.
For service-level controls, it shows the status of Completed if all services have effectiveness decisions.
After control owners have reviewed all of the pending controls in an engagement risk assessment project and either
set an effectiveness level for or (if this feature is enabled) skipped them, tasks related to final approval for the
engagement start.
If the control is pending in multiple engagement risk assessment projects, those projects update to show the
control effectiveness status and the completed date for the review. In cases where the control review you just
completed was also the final pending control review for another engagement risk assessment project, tasks related
to final approval for that engagement also start.
Next Steps
To re-review a completed control to change your effectiveness decision, first reopen the control review [page 226].
Related Information
Prerequisites
To skip an assessment response, you must be specified as a decision maker for the control in the control definition
master data for your site.
The ability to skip an assessment response applies to sites in which this feature is enabled. An
administrator must set the parameters Allow decision maker to skip an assessment response
Context
You can skip an assessment response from the control details page.
Procedure
1. Access the control from the engagement, engagement task list, controls list page, or Action queue.
2. On the control details page, navigate to the Assessments tab (for a vendor- or engagement-level control) or
scroll down to the Assessments area (for a service-level control). A Skip button displays for any assessment
waiting for a response.
Note
If the assessment is set up for imported responses, you cannot skip it. In this case, the Skip button does
not display.
3. To the right of the assessment name, click Skip. This displays the Skip assessment response dialog.
4. Enter a Comment with additional information.
5. (Optional) Click Browse to find and attach a document supporting your decision to skip this assessment
response.
6. (Optional) You may want to use Action Change expiration date to set an expiration date for the
corresponding risk control. A skipped assessment has no expiration date to use as a default for the control's
expiration date.
Results
Skipping an assessment response is treated the same as receiving a response, in terms of completing the
prerequisites to starting the control review task. For example, if all other underlying assessments for this risk
control have responses, and then this last one is skipped, the next phase of the engagement request workflow can
start.
The assessment's Skipped response history link shows a record of the activity and a link to any attached
document.
Members of the Project owner project group receive the Project state update notification. A skipped assessment
is treated as canceled so the notification indicates the questionnaire has been canceled.
If the modular questionnaire is defined to be Always open, skipping the assessment overrides this definition. The
assessment is Canceled.
Engagement page: The skipped assessment displays in the Risk assessments area with a Status of Skipped.
Next Steps
You can re-request a skipped assessment response by reopening the corresponding risk control, and choosing to
resend all assessments as part of that process. The recipient can then respond to the assessment, or the decision
maker can once again skip the assessment response.
Note
When reopening a control with a skipped assessment, the parameter Reuse respondent answers when
resending assessments (Application.SR.Engagement.ReuseAnswersWhenResendingAssessments)
does not influence the behavior for the skipped assessment. There are no prior answers to reuse because
the assessment was skipped.
You cannot use Request Update to request an updated response because a canceled assessment has no
questionnaire details page.
Note
After a control review or an assessment response has been skipped, a new engagement activity, such as a
change request or a new engagement request, might require the same control and assessment for this supplier.
The reuse behavior for the new engagement activity depends on their previous statuses. The table below shows
several examples of control and assessment statuses before and the results after sending assessments for the
new activity.
Control (Before) Assessment (Before) Reuse Behavior Control (After) Assessment (After)
When it's not possible to judge the effectiveness of a control based on the available evidence, a decision maker
can skip the control review. This allows the control review task to complete without the decision maker setting an
effectiveness level.
Prerequisites
To skip a control review, you must be specified as a decision maker for the control in the control definition master
data for your site.
The ability to skip a control review applies to sites in which this feature is enabled.
An administrator must set the parameters Allow no-effectiveness option for control review
(Application.SR.Engagement.AllowNoEffectivenessOptionForControlReview) and Enable control
review workflow (Application.SR.Engagement.EnableControlReviewWorkflow) to Yes.
Context
You can skip a control review in any situation when entering a decision is an option.
Procedure
1. Access the control from the engagement, engagement task list, controls list page, or Action queue.
2. To skip a control review decision for a vendor- or engagement-level control::
a. In the top right corner of the page, click Action and choose Skip control review.
b. Use the dropdown to select a Reason for your decision.
c. Enter a comment with additional information.
d. For Review again? choose Yes or No, indicating whether a decision maker should re-review the skipped
control review in the future.
• If Yes, enter a date for Expires on. This expiration date triggers a Control review expiration action on
the Action queue when the skipped control review expires or is approaching expiration.
• If No, the skipped control review does not expire, so the Expires on date field is not shown.
e. (Optional) Click Browse to find and attach a document supporting your decision to skip this control review.
3. To skip a control review decision for a service-level control::
a. For the service whose control review you want to skip, choose Action Skip control review .
Note
If control decision makers are reviewing a control that includes the same service in two different
engagement risk assessment projects, when the decision maker skips the control review for the
Tip
There is no option to mark the skipped control review for a service as not requiring re-review. To change
the expiration date for a service-level control, choose Action Change expiration date at the control
level.
Results
The control's History tab shows a record of the activity and a link to any attached document.
The skipped control review displays in the Risk controls areas of the supplier 360° profile and the engagement
page with a Status of Skipped.
Skipping a control review is treated as completing the control review task, in the same way as setting an
effectiveness level. For example, if the control review just skipped represents the last required control review for an
engagement request, the next phase of the engagement request workflow can start.
If the skipped control review has an expiration date, the Action queue calls attention to its expiration in the same
way that other control review decisions expire. A Control review expiration action appears on the Action queue
when the skipped control review decision is Expiring soon or Expired. The decision maker can then reopen the
control review and either set an effectiveness level or once again skip the control review.
When the effectiveness status of a control or service is no longer applicable, reopen the control review to make it
available for a new decision. This process can optionally include resending all assessments.
Prerequisites
To reopen a control review, you must be specified as a decision maker for the control in the control definition
master data for your site.
The control details page and the reopening process apply to sites in which periodic review of risk controls is
enabled. In sites where that feature is not enabled, decision makers instead use the control review page [page 232]
to change review decisions.
• Expired: the control review is beyond its expiration date. A control's expiration date defaults to the earliest
expiration date amongst its underlying assessments.
• Expiring soon: it is within a configured number of days of its expiration date. Find this configuration settng on
the Control review tab of the Configure periodic reviews page.
• Complete: for another reason, you need to revisit the effectiveness decision, based on the existing evidence or
by collecting new evidence.
When reopening a control, you can optionally resend all assessments. You might want to do this if at least one of
the assessments has expired, but you can also resend even if none of them has.
Remember
For a service-type control, the list of services may differ depending on how you accessed the control details
page:
• From an engagement: all services for that control that are relevant to that engagement.
• From the controls list page or Action queue: all services for that control.
• The Action queue, if the control is Expired or Expiring soon and the Control review expiration action is
assigned to you or to a decision maker group to which you belong
Procedure
• An engagement:
1. Click Engagement Requests on the Supplier Risk dashboard or in a supplier 360° view.
2. Locate the engagement and click its name.
3. In the Risk Controls area, for the control you want to reopen, click View.
• The controls list page: On the Supplier Risk dashboard, click the Controls tile, locate the control, and
click its name.
• The Action queue:
1. On the Supplier Risk dashboard, click the Actions tile.
2. Locate the relevant Control review expiration action and click the link for the name of the control.
The Control details page opens. The top of this page shows the name of the control with a badge to the right
indicating its status. The upper portion of the page shows summary information about the risk control. The
lower portion displays further detail (assessments, issues, engagements, history of the control) depending
on the type of control and how you accessed the page. For service-level controls, it lists each of the relevant
control services.
• If the control is Expired or Expiring soon, a message near the top of the page offers links allowing you to
reopen it or to set a new expiration date. Click the reopen link.
• Choose Action Reopen control review .
Related Information
Prerequisites
To review a pending control and mark it as effective or ineffective, you must be specified as a decision maker for the
control in the control definition master data in your site.
The control review page applies specifically to sites in which periodic review of risk controls is not enabled. In sites
where that feature is enabled, decision makers use the control details page [page 215] instead.
In a control-based engagement risk assessment project, each control has one or more assessment questionnaires.
Each assessment questionnaire is a separate modular supplier management questionnaire that might have its own
approval process. You only review a control for effectiveness once all of its associated questionnaires are approved.
• The supplier has submitted initial responses to its associated questionnaires, or the control includes internal
assessments. This could be true for a new engagement request or when a control is added to an engagement
via change request or a periodic or ad hoc review.
• The supplier has updated one of the control's underlying assessments. The assessment might have expired,
the buyer might request an update for some other reason, or the supplier might have updated an "always
open" assessment..
• For an engagement-level control:
• In each new engagement request
• When a significant change is made via advanced edit, change request, or review.
• For a service-level control: if at least one of its services was not included in a prior review
Reviewing a pending control for effectiveness involves reviewing the answers to the approved questionnaires
and marking the control or services as effective or ineffective based on those answers. Depending on how your
organization sets up and manages risk controls, you might be the decision maker for one or more controls; one
control might use one or more questionnaires; and one or more controls might include the same questionnaires.
A review for a vendor- or service-level control might be pending in multiple engagement risk assessment projects
at the same time. If it is, you can review it from any project where it is pending. Since different engagement risk
assessment projects can have different combinations of services for the same service-level control, however, you
might have to complete a service-level control review in a specific engagement risk assessment project to review all
of its services.
Your organization might use issues to document the process of arriving at an ineffective decision for a control.
Depending on your site's configuration, if you try to mark a control as ineffective and it does not already have at
least one issue associated with it, you might see a warning, or you might be required to create an issue for the
control before you can mark it as ineffective.
Procedure
The Control review page opens. This page, labeled Control review at the top, shows information about the
risk control and the associated approved assessment questionnaires submitted for the engagement's supplier.
For service-level controls, it lists each of the control services that are included in the current engagement risk
assessment project.
2. Click Review to the right of any assessment questionnaire to view its answers.
Note
An assessment for which the status was imported does not show a Review button because the underlying
assessment is not stored in SAP Ariba Supplier Risk.
Note
If your organization requires at least one issue for controls that are marked as Ineffective: if you select
that option and the control doesn't already have an issue, you must create one now, before you can
proceed. Choose Create issue; submitting the issue will bring you back here to finish.
Note
If your organization requires at least one issue for controls that are marked as Ineffective: if you select
that option and the control doesn't already have an issue, you must create one now, before you can
proceed. Choose Create issue; submitting the issue will bring you back here to finish.
Note
A service-level control review is not complete until you click Complete Review. You can change any
decisions from the current control review until you complete the review, at which point the decisions
are final. If control decision makers are reviewing a control that includes the same service in two
different engagement risk assessment projects, when the decision maker marks the service as effective or
Results
The control you reviewed now has a status of Completed. The decision history shows your effectiveness decision
and comment.
On the engagement page, the Approval Flow area shows effective controls in green and ineffective controls in
yellow. For service-level controls, if you marked at least one of the services as ineffective, the overall control shows
as ineffective.
After control owners have reviewed all of the pending controls in an engagement risk assessment project and
marked them as effective or ineffective, tasks related to final approval for the engagement start.
If the control is also pending in any other engagement risk assessment projects, those projects update to show the
control effective status and the completed date for the review. In cases where the control review you just completed
was also the final pending control review for another engagement risk assessment project, tasks related to final
approval for that engagement also start.
Next Steps
You can edit the comment for the most recent effectiveness decision on a control. On the engagement page, click
View to view the control review, then click Edit Comment next to the comment.
You can also re-review a completed control to change your effectiveness decision [page 232].
Related Information
Prerequisites
To re-review a control and change its effectiveness status, you must be specified as a decision maker for the control
in the control definition master data for your site.
You can re-review a completed control in any engagement risk assessment project that uses the control.
The control review page applies specifically to sites in which periodic review of risk controls is not enabled. In
sites where that feature is enabled, the decision maker instead reopens the control review [page 226] to allow for
changing the decision.
Context
Re-reviewing a control for effectiveness involves reviewing the answers to the approved questionnaires and the
current effectiveness status and, if necessary, changing the status.
A completed vendor- or service-level control might be required in more than one engagement risk assessment
project. If it is, you can re-review it from any project where it is required. Since different engagement risk
assessment projects can have different combinations of services for the same service-level control, however, you
might have to re-review a service-level control in a specific engagement risk assessment project to re-review a
particular service.
Procedure
1. Click the Engagement requests tile on the Supplier Risk dashboard, locate an engagement that uses the
completed control, and click its name.
Tip
You can run the Risk Control Summary report to see which engagement risk assessment projects use
specific controls.
2. Click View for a specific control in the Risk controls area of the engagement page.
The Control review page opens. This page, labeled Control review at the top, shows information about the
risk control and the associated approved assessment questionnaires submitted for the engagement's supplier.
For service-level controls, it lists each of the control services that are included in the current engagement risk
assessment project.
Note
An assessment for which the status was imported does not show a Review button because the underlying
assessment is not stored in SAP Ariba Supplier Risk.
Note
If changing from Effective to Ineffective, remember to create an issue if the control doesn't already
have one and your organization requires this. Choose Create issue; submitting the issue will bring you
back here to finish.
Note
If changing from Effective to Ineffective, remember to create an issue if the service doesn't already
have one and your organization requires this. Choose Create issue; submitting the issue will bring you
back here to finish.
Results
The control shows the updated Effective or Ineffective status in each engagement risk assessment project where
it is required. The decision history includes the latest effectiveness decision.
Related Information
About Opening an Engagement for Which a Change Request Is in Progress [page 234]
How to Change a Live Engagement Request by Processing a Change Request [page 235]
How to Approve or Deny a Change Request with Significant Changes (Final) [page 245]
If an engagement is undergoing change request, your choice to open the engagement may trigger a navigation
choice depending on your role and permissions in the engagement.
An engagement with a change request in process is listed in the Completed area of the engagements dashboard
and has a status of Change request: [status]. When, as a user with some authorization to view or work with the
engagement, you click on the name link, the result depends on the state of the change request (in draft or already
submitted) and your global and engagement-specific permissions.
If the change request is in Draft status, the engagement's status shows as Change Request: Draft.
• The creator or the on behalf of user for the change request can re-open it. These users see a dialog where they
can choose to continue editing the draft change request, or open the summary page for the live engagement, in
view-only mode.
• Other users land on a view-only engagement summary page. An indicator at the top of the page notes that a
change request is in process.
If the change request has already been submitted, its status shows as Change Request: [phase name] - In
Progress . In this case, all users see a choice dialog. You can navigate to the ongoing Change Request or the
current Live Version of the engagement.
• Choosing Change Request brings up the engagement page with the indicator Change Request in Progress
displayed at the top. Actions you can take on this page depend on your permissions and role in the
engagement.
If a submitted change request is currently being edited, the engagement's status shows as Change Request: In
Edit.
• The original editor of the change request can re-open it. These users see a dialog where they can choose to
continue editing the change request, or open the engagement page for the currently active change request.
Possible actions depend on the user's permissions and role in the engagement.
Tip
The editor can also access the live version of the engagement:
1. Choose the option to view the current active change request.
2. From the engagement page, click the View history link. The version history includes a link to the live
version of the engagement.
• Other users see a choice between navigating to the Change Request or the Live Version.
• Choosing Change Request brings up the engagement page with the indicator Change Request in
Progress displayed at the top. While the change request is In Edit, due diligence activities associated with
the change request workflow can continue. Actions you can take on this page depend on your permissions
and role in the engagement.
• Choosing Live Version displays the current live version of the engagement. Because there is a change
request in progress, this page is view-only for all users.
Prerequisites
You have configured a change request workflow in the Supplier Risk Engagement Template as described in Optional
Features for Control-based Engagement Risk Assessments and Phases and Tasks for Control-Based Engagement
Risk Assessment Projects in Setting Up SAP Ariba Supplier Risk.
• You are a member of the Project Owner project group, and you belong to the Supplier Risk Engagement
Requester user group.
• The engagement project you want to change is in Completed status, meaning all required due diligence and
approvals were completed successfully.
• If an earlier change request was canceled, the engagement is shown on the Completed list. Such an
engagement is eligible for a new change request.
• If the engagement has a change request that was Denied, the engagement is shown on the Completed list
with a status like Change Request: [phase name] - Denied. In this case you can
Context
Change request workflow mirrors similar phases of the engagement request process.
• To change an engagement request before final approval, use the editing process ( Action Edit request ).
• To change a live engagement project (a project from the Completed list on the engagements dashboard), use
the change request process ( Action Change request ).
The following steps assume that a change request is not already in progress.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the
Completed tile, locate the engagement, and click its name.
2. In the upper right corner of the engagement page, choose Action Change request .
3. A confirmation message requires entry of Reason text. Optionally you can also specify another user on whose
behalf you are creating the change request. Then choose OK to continue. Both the creator and any on behalf
of user are added to the Change Request Owners project group.
4. The change request editing pages allow you to request changes to attributes, business details, or screening
question responses for the engagement project. Use the Next and Back buttons to navigate to different steps
of the change request and edit information as needed.
• Changes to business details may cause screening questions to be added or removed. When you click Next
after making such changes, business detail changes are saved and the number of questions added and
removed is noted on the Inherent Risk Screening Questions page.
• Changed answers to the Inherent Risk Screening Questions may cause risk controls to be added or
removed. When you click Next after making such changes, changes are saved and the number of controls
added and removed is noted on the supplier selection page.
• The supplier selection page is displayed, but you cannot use a change request to change the supplier for a
live engagement.
• Each section of the Review Request page highlights additions and changes.
5. If you need to exit a change request before submitting it, you can:
• Choose Save at any point to save your changes without submitting. The request is included in the
engagement request Completed tile, with status Change Request: Draft. The creator or the on behalf
of user for the change request can re-open it, with a choice to continue editing the change request or to
open the engagement summary page for the live version of the engagement.
• Choose Revert Change to delete the change request and undo all changes associated with it. If you click
OK to the confirmation message, the engagement request reverts to the current live version, its state
before the change request was started.
Results
• If there are significant changes, the change request initial approval and change request final approval phases
are activated.
• If there are no significant changes, but some changes are insignificant requiring approval, only the change
request initial approval phase is activated.
• If the only changes are insignificant:
• If the change request was previously denied, the change request initial approval task is reactivated.
• If this is not a resubmit of a denied change request, the change request is automatically approved. This
triggers creation of a new version of the live engagement project, incorporating the changes.
Depending on the changes and your organization's control-based engagement risk assessment process,
appropriate downstream tasks are activated and corresponding notifications are sent. For details of results when
an approval task is approved or denied, see How to Approve or Deny a Change Request (Initial) [page 243] or How
to Approve or Deny a Change Request with Significant Changes (Final) [page 245].
Issues created during the change request lifecycle are associated with the engagement or the control for which
they are created.
Note
While a change request is in progress, analytical reports will continue to show data from the current live version
of the engagement. When the change request completes, new data is then available for reporting. For more
information, see Analytical Reporting for Control-Based Engagement Risk Assessment Projects [page 275].
Related Information
About Working with an Engagement While Updates Are in Process [page 169]
Managing an Engagement After an Update Processing Error [page 172]
How to Run the Engagement processing error report [page 274]
A member of the Change Request Owners project group can edit an ongoing (submitted) change request to add
or change details.
Prerequisites
• You must be a member of the Change Request Owners project group and of the Supplier Risk Engagement
Requestor user group.
• There must be a change request in progress for the engagement request.
• The change request must not be in Draft status; in this case the engagement status would be Change
Request: Draft. A draft change request can be changed, but only by its original creator or by the on behalf
of user, if one was specified.
• When a change request is in progress, the status of the engagement is like Change Request: [phase name]
- In Progress.
• The engagement must not be in Change Request: In Edit status with a different user. If a change request edit
was saved during the edit process, editing of that change request can only be continued by the original editor.
Context
You can edit an engagement change request at any point before completion, including change requests that were
denied.
The engagement request changes to status Change Request: In Edit until the edit is submitted. While a request is
in Change Request: In Edit status:
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view. In the
Completed list, locate the engagement, and click its name.
2. The Ongoing Change Request dialog offers a choice between navigating to the Change Request or to the
summary page for the current Live Version of the engagement. Choose Change Request.
3. In the upper right corner of the engagement page, choose Action Edit change request . A confirmation
message lists general rules of the editing process, and requires entry of Reason text to continue.
If a change request edit is already in progress, the Edit change request option is disabled.
4. Use the Next and Back buttons to navigate to different steps of the request and edit information as needed.
When editing a previously submitted change request:
• Changes to business details may cause screening questions to be added or removed. When you click Next
after making such changes, business detail changes are saved and the number of questions added and
removed is noted on the Inherent Risk Screening Questions page.
• Changed answers to the Inherent Risk Screening Questions may cause risk controls to be added or
removed. When you click Next, changes are saved and the number of controls added and removed is noted
on the supplier selection page.
• You cannot change the supplier as part of a change request or an edit to a change request. Click Review
request to move on to the Review Request page.
• Each section of the Review Request page highlights additions and changes.
5. If you need to exit an In Edit change request without submitting it, you can:
• Choose Save at any point to save your changes without submitting. The request is included in the list of
Completed engagement requests, with status Change Request: In Edit.
• The original editor of the change request can return to Step 1 and re-open the engagement, choosing
the option to continue editing.
• Other authorized users can view an engagement whose status is Change Request: In Edit, and
complete tasks other than Send Assessments in the change request due diligence workflow, but they
cannot take over the editing.
• Choose Revert edit to undo all edits made while this request has been in Change Request: In Edit status.
If you click OK to the confirmation message, the change request reverts to its pre-edit state.
6. Navigate to the final review step and click Submit request.
Caution
After submitting a change request edit, there is no option to roll back to an earlier version of the change
request.
Results
Submitting the edited change request may trigger adjustments to the approval phases, tasks, assessments, and
controls. This depends on a comparison of the changes between the live version of the engagement, the pre-edit
change request, and the edited change request.
The final version of the change request, the version that is ultimately completed, is tracked in the version history
[page 130]. Individual instances of editing a change request are not tracked in the history.
Related Information
An ongoing change request can be edited by one user at a time. The significance of the changes, evaluated when
you submit the edit, determines whether further downstream activities such as sending assessments or reviewing
additional risk controls are required.
This topic applies only to sites configured for editing of in-progress change requests.
The following table summarizes actions users can take for a change request while its status is Change Request:
In Edit. Generally, all existing tasks associated with the change request can continue, with the exception that
assessments cannot be sent.
Reopen a saved In Edit request for further editing Only the original editor can continue
the edit. Upon clicking the engage-
Upon opening, the editor can choose ment name, these users can navi-
to gate to
Send assessments No user can send assessments while a change request is being edited
When you submit an edit to a change request, the proposed changes are evaluated for significance. The result of
this evaluation affects the downstream due diligence tasks for the change request.
• A change request has significant changes when they result in the addition of one or more controls.
• If you change the response for an attribute or question defined in the project template with the supplier field
mapping project.reapprove, this change is considered insignificant requiring approval.
• Removal of a control can be considered significant or insignificant requiring approval,
depending on the setting for the parameter Treat control removal as a significant change
(Application.SR.Engagement.TreatControlRemovalAsSignificant) [page 404].
• Changes to the request are considered insignificant when they do not result in addition or removal of controls.
• If a new commodity was added, triggering re-review for a service-type control specifically for this new service:
this is not the addition of a control and thus is not considered a significant change. The new service alone does
not re-trigger the approval task.
Submitting the edited change request may trigger adjustments to the approval phases, tasks, assessments, and
controls. This depends on a comparison of the changes between the live version of the engagement, the pre-edit
change request, and the edited change request.
• If the net changes are significant, all approval tasks for the change request are reactivated.
• If the net changes are insignificant requiring approval, the Change Request Initial Approval phase is
reactivated. Which tasks within that phase are reactivated depends on the setting for the parameter Reopen all
initial approval phase tasks for insignificant changes requiring approval
(Application.SR.Engagement.ReopenAllInitialApprovalPhaseTasksForInsignificantChanges
RequiringApproval) [page 394].
• If the net changes are insignificant:
• If the change request was previously denied, all approval tasks are reactivated.
• Otherwise, approval tasks are not reactivated.
Net
Change
from Live
Version to
Edited Overall Sig-
Edit to the Change Re- Change Re- nificance of
Original Change Request quest quest the Edit Result
Adds two controls Removes the two added Insignifi- Insignifi- Change request initial approval phase:
(significant). User sub- controls, and the parame- cant requir- cant requir-
reopened
mits the change request: ter Treat control removal ing appro- ing appro-
change request initial as a significant change is val val
Tip
and final approval phases False; makes a change to
open. New assessments an attribute defined with Which tasks open within this phase
sent, responded to, the supplier field mapping
depends on the setting for the pa-
some control reviews project.reapprove
rameter Reopen all initial approval
completed.
phase tasks for insignificant
changes requiring approval
(Application.SR.Engageme
nt.ReopenAllInitialAppro
valPhase
TasksForInsignificantCha
ngesRequiringApproval).
Adds two controls Changes an attribute Significant Insignifi- Change request was already approved
(significant). User sub- defined with the sup- cant requir-
with the added controls, so the net edit
mits the change re- plier field mapping ing appro-
here is insignificant requiring appro-
quest: change request in- project.reapprove val
itial and final approval (Insignificant requiring val: initial approval phase reopens.
phases open. Initial ap- approval)
Send assessments task is not reop-
proval completed, new
ened: the original change request had
assessments sent and re-
sponded to, some control already passed that step, and the edit to
reviews completed. the change request is not adding con-
trols, so there are no new assessments
to send.
Initial approval of a change request for a control-based engagement risk assessment project triggers any needed
due diligence tasks. If there are no changes requiring approval, the net result is simply a new live version of the
engagement project.
Context
• it has significant changes: for example, the changes cause controls to be added.
• there are no significant changes but there are changes defined as insignificant requiring approval: for
example, a change to at least one question or attribute defined on the Supplier Risk Engagement Template
with the supplier field mapping project.reapprove.
Once a requester submits a change request requiring approval, an approver can evaluate it and provide a decision.
If you believe that a change request requires further investigation or mitigation, then instead of denying it, there is
also the option of approving it but raising an issue for it.
If a change request is canceled, existing issues for the engagement or a control remain in place; they are not
reverted when the change request is canceled.
Procedure
• Click the link in the approval task email notification to open the engagement request.
• Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the
Completed tile, locate the engagement, and click its name.
2. Depending on the status of the engagement request and your user permissions, a confirmation message may
offer a choice between navigating to the Change Request or to the engagement summary page for the current
Live Version of the engagement. In this case, choose Change Request.
3. In the Request Details area, review the answers to the business details questionnaire and the inherent risk
screening questionnaire for the change request.
4. In the Pending Tasks list, for the change request initial approval task, click Approve/Deny.
5. In the top right corner of the page, perform one of the following actions:
If you are the final approver and you approve the change request:
• If the change request will result in added controls, appropriate due diligence tasks are enabled: for example,
to send newly required assessments for which this supplier has no unexpired responses, according to the
workflow defined in the Supplier Risk Engagement Template.
Example
A new control may require an assessment to which this supplier has not already replied. In that case,
the send assessments task would be reactivated, followed by the evidence collection and then the control
review phases. Completion of the control review phase then triggers the change request final approval task.
• If there are no significant changes, but there are changes defined as insignificant requiring approval, then the
change request initial approval phase is the only required approval. Completion of this approval is the end of
the change request workflow, resulting in a new version of the engagement project, incorporating the changes.
Next Steps
If the change request is denied, and you are either an approver or a member of the Supplier Risk Engagement
Governance Analyst group, you can resubmit the approval. Resubmitting the approval restarts the approval flow
from the beginning so that approvers can make a different decision. To resubmit the approval, on the engagement
page, click View to open the approval task details page, then click Resubmit.
To view the history of activity on this engagement project, you can open the engagement page and click the View
history link below the Live Engagement Request Version field.
Related Information
How to Change a Live Engagement Request by Processing a Change Request [page 235]
Viewing Engagement History [page 130]
How to Approve or Deny a Change Request with Significant Changes (Final) [page 245]
Context
Initial approval of the change request triggers any required due diligence tasks. Once control decision makers have
reviewed any open controls associated with it, the change request is in In Progress status for the change request
final approval phase.
The Approval Flow area of the engagement page includes decision nodes for all of its control reviews.
If a control is marked ineffective, the control decision maker might have raised an issue for it. You can review any
issues raised for the change request and their resolutions in the Risk Issues area. Depending on your organization's
standards and processes, you might approve a change request with one or more ineffective controls if it merits an
exception or has a related issue that is resolved to your satisfaction.
Procedure
• Click the link in the approval task email notification to open the engagement request.
• Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the
Completed tile, locate the engagement, and click its name.
2. Depending on the status of the engagement request and your user permissions, a confirmation message may
offer a choice between navigating to the Change Request or to the engagement summary page for the current
Live Version of the engagement request. In this case, choose Change Request.
3. In the Request Details area, review the answers to the business details questionnaire and the inherent risk
screening questionnaire in the request.
4. In the Pending Tasks list, for the change request final approval task, click Approve/Deny.
5. In the top right corner of the page, perform one of the following actions:
If all of the approvers approve the change request and there are no more tasks in the change request final approval
phase, the change request is now complete. Approval triggers creation of a new live version of the engagement,
incorporating the changes proposed in the change request. The new engagement version is in status Completed.
If an approver denies the change request, the engagement moves to Denied status.
Next Steps
If the change request is denied but the change request approval phase includes tasks that have not yet been
completed, and you are either an approver or a member of the Supplier Risk Engagement Governance Analyst
group, you can resubmit the approval. Resubmitting the approval restarts the approval flow from the beginning so
that approvers can make a different decision. To resubmit the approval, on the engagement page, click View to
open the change request approval task details page, then click Resubmit.
To view the history of activity on this engagement project, you can open the engagement page and click the View
history link below the Live Engagement Request Version field.
Related Information
How to Change a Live Engagement Request by Processing a Change Request [page 235]
Viewing Engagement History [page 130]
How to Approve or Deny a Change Request (Initial) [page 243]
If a change request in progress is no longer needed, an authorized user can cancel it. This also withdraws any due
diligence tasks associated with the canceled change request that are not needed for other projects.
Prerequisites
• A member of the Change Request Owners project group and of the Supplier Risk Engagement Requestor
user group
• A member of the Supplier Risk Engagement Governance Analyst user group.
To remove a draft change request, you must be the user who created the change request, or the on behalf of
user. See How to Revert a Draft Change Request [page 248].
The change request must not be in In Edit status. A change request cannot be canceled while editing is in progress.
Context
You can cancel a change request at any point after it is submitted and before final approval.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the
Completed tile, locate the engagement that has a change request in progress, and click its name.
2. Depending on your project group memberships and user permissions, a confirmation message may offer a
choice between navigating to the Change Request or to the engagement summary page for the current Live
Version of the engagement. In this case, choose Change Request.
3. In the upper right corner of the engagement page, choose Action Cancel change request . A
confirmation message reminds you that cancelation will undo all changes. You must select a Reason for
canceling the change request. Optionally, you can also enter a comment.
4. Click OK to confirm that you want to cancel the change request.
Results
The control-based engagement risk assessment project is now once again in Completed status. You can view it on
the Completed tile of the Engagement Requests area.
Pending Tasks are deactivated and displayed in the Withdrawn tasks tab on the engagement summary page.
Any assessment evidences already received, or which have been submitted and are pending approval, and any
related control review decisions, are retained.
• If the engagement project with the just-canceled change request was the only project for which the assessment
was needed, it is deactivated and the supplier can no longer submit a response.
• If the assessment is still required for an engagement request other than the one with the canceled change
request, the supplier can still submit evidence for that assessment.
Appropriate notifications are sent to stakeholders, reflecting the withdrawn tasks and canceled change request.
Issues created during the change request lifecycle are associated with the engagement or the control for which
they are created. Issues are not deleted or removed when a change request is canceled.
Prerequisites
• You must be the user who created the change request, or the on behalf of user.
• The engagement must be in Change Request: Draft status.
Context
You can revert a draft change request at any point before it is submitted. This deletes the change request. There is
no record of it in the version history.
In contrast, you can cancel a change request that is in process. This returns the engagement to its most recent
live version but retains history information about the canceled change request. For more information, see How to
Cancel a Submitted Change Request [page 246].
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the
Completed tile, locate the engagement, and click its name.
2. A confirmation dialog offers a choice between navigating to the Change Request or to the engagement
summary page for the current Live Version of the engagement. In this case, choose Change Request.
3. The upper right corner of each change request page includes a Revert change button. Click Revert change and
a confirmation message reminds you that reverting will undo all changes, returning the engagement request to
its most recent completed state.
4. Click OK to confirm that you want to revert the change request.
The control-based engagement risk assessment project returns to Completed status. You can view it on the
Completed tile of the Engagement Requests dashboard.
There is no record of the reverted draft change request in the version history list for the engagement.
No notifications are sent because the change request was never submitted.
Prerequisites
To cancel the post-approval phase of an engagement risk assessment project, you must be a member of its Project
Owner group or the Supplier Risk Engagement Governance Analyst global user group.
To cancel the post-project approval phase, the phase must be in progress. You cannot cancel the phase before it
starts or after it is completed.
Context
You can cancel the post-approval phase at any time while the phase is in progress, including while tasks are active.
Procedure
Canceling the post-project approval phase removes the phase and all of its tasks from the engagement risk
assessment project workflow, completes the phase, and withdraws its tasks. The Withdrawn Tasks tab in the Tasks
area of the engagement page shows the withdrawn tasks. If the phase included active tasks when you canceled it,
task owners can no longer complete them. They receive email notifications letting them know that their tasks have
been withdrawn.
Prerequisites
You have configured periodic and ad hoc review as described in Adding Periodic and Ad Hoc Review to the
Engagement Workflow.
• You are a member of the Project Owner project group for the engagement, or of the Supplier Risk
Engagement Governance Analyst user group
Note
Only members of the Project Owner project group see an action for periodic review in their Action Queue,
if that feature is enabled.
Context
An engagement is eligible for periodic reviews on a configurable schedule. As each engagement request is
completed, first periodic review expected start and expected completion dates are generated for it. When one
periodic review is processed and completed, the next set of periodic review dates is calculated, and so on.
The type of review you can start depends on whether the engagement is available for periodic review.
• The engagement is available for periodic review if today's date is on or after its expected start date for periodic
review. In that case, choosing Action Start review starts a periodic review
• If the engagement is not available for periodic review, choosing Action Start review starts an ad hoc
review.
Review workflow mirrors the change request process for engagements, with some important differences.
Make changes to business details and in- Configuration determines length of re- An ad hoc review is a review started when
herent risk screening questionnaire view period and rules for generating re- the engagement is not available for peri-
view dates odic review
Save as draft, revert a draft
Engagement becomes available for peri- Does not appear in Action Queue be-
When submitted, significance of changes
odic review on the expected start date cause it is not triggered on a schedule
determines required approvals
Can be used in conjunction with the Reminder notifications do not apply
Uses change request initial and final ap-
Action Queue feature; when the engage-
proval phases as required
ment is available for periodic review, an
Edit at any time before final approval, if Action to conduct a periodic review ap-
the Enable editing of in-progress pears on the Action Queue
change requests
Configurable notifications remind project
(Application.SR.Engagement.A
team members to conduct the periodic
llowChangeRequestEdit) parame-
review
ter is set to Yes
Can require the Additional Periodic
Changes made during edit are evaluated
Review Activities phase in response to
for signficance to determine required ap-
a configured number of consecutive no-
provals
change periodic reviews
Upon submitting an ad hoc or periodic review, a confirmation dialog requires the re-
viewer to confirm their changes (or lack thereof) to the business details and inherent
risk screening questionaire
2. In the upper right corner of the engagement page, choose Action Start review .
• If the engagement is available for periodic review, a confirmation message indicates that the review is
starting.
• If the engagement is not available for periodic review, a different message notes the date when this
engagement will next become available for periodic review, and asks whether you would like to start an ad
hoc review. Click Yes to start an ad hoc review, or No to return to the engagement page.
3. The editing pages for processing the review allow you to request changes to business details or inherent risk
screening questionnaire responses for the engagement. Use the Next and Back buttons to navigate to different
steps of the review and edit information as needed.
• Changes to business details may cause screening questions to be added or removed. When you click Next
after making such changes, business detail changes are saved and the number of questions added and
removed is noted on the Inherent Risk Screening Questions page.
• Changed answers to the Inherent Risk Screening Questions may cause risk controls to be added or
removed. When you click Next after making such changes, changes are saved and the number of controls
added and removed is noted on the supplier selection page.
• The supplier selection page is displayed, but you cannot change the supplier for a live engagement.
• Each section of the Review Request page highlights additions and changes.
• For a new review (not yet submitted), the two columns compare the values for the original, previously
completed engagement to those entered for this review.
When editing an in-progress review, the two columns compare the live version of the engagement to
the edited version of the review.
4. If you need to exit a review before submitting it, you can:
• Choose Save at any point to save your changes without submitting. The engagement is shown in the
engagement Completed tile, with status Review: Draft. The creator of the review can re-open it, with a
choice to continue editing the review or to open the engagement page for the live version.
• Choose Revert Review to delete the review and undo all changes associated with it. If you click OK to the
confirmation message, the engagement reverts to the current live version, its state before the review was
started.
5. Navigate to the final review step and click Submit review. The Submit review dialog provides three choices of
action:
a. If you are comfortable with the review in its current state, select the checkboxes confirming that you have
reviewed the business details and inherent risk screening questionnaire, and click Submit.
b. To return to the draft review, click Cancel to return to the editing pages. This preserves the changes you
had already made and allows you to adjust them.
c. To start over, click Start from the beginning to undo all changes for the review. This returns you to the
editing pages as if you had just clicked Start review.
• If there are significant changes, the change request initial approval and change request final approval phases
are activated.
• If there are no significant changes, but some changes are insignificant requiring approval, only the change
request initial approval phase is activated. Which tasks open within that phase is determined by the value for
the parameter Reopen all initial approval phase tasks for insignificant changes requiring approval
(Application.SR.Engagement.ReopenAllInitialApprovalPhaseTasksForInsignificantChanges
RequiringApproval).
• If the only changes are insignificant:
• If the review was previously denied, the change request initial approval task is reactivated.
• If this is not a resubmit of a denied review, the review is automatically approved. This triggers creation of a
new version of the live engagement project, incorporating the changes.
• If there are no changes to the business details or inherent risk screening questionnaire in this review:
• If this is a periodic review, a no-change review may trigger the Additional Periodic Review Activities
phase, defining additional tasks required in order to complete the periodic review.
• In all other cases, a no-change review is automatically approved. Despite the lack of changes, this does
trigger a new version of the live engagement recognizing that the review was submitted.
Depending on the changes and your organization's control-based engagement risk assessment process,
appropriate downstream tasks are activated. A process similar to a change request manages the workflow of
relevant due diligence tasks, and corresponding notifications are sent.
For a periodic review only, the post project approval phase reopens, if your site
has the parameter Reopen post project approval phase with engagement review
(Application.SR.Engagement.ReopenPostProjectApprovalPhaseWithEngagementReview) set to Yes.
Issues created during the review lifecycle are associated with the engagement or the control for which they are
created.
Note
While a review is in progress, analytical reports will continue to show data from the current live version of the
engagement. When the review completes, new data is then available for reporting. For more information, see
Analytical Reporting for Control-Based Engagement Risk Assessment Projects [page 275].
Related Information
An engagement with a review in process is listed in the Completed area of the engagements dashboard and has a
status of Review: [status]. In the case of a periodic (not ad hoc) review, an action is listed on the Action Queue for
members of the Project Owner project group for the engagement.
When, as a user with some authorization to view or work with the engagement, you click on the engagement name
or action link, the result depends on the state of the review (in draft or already submitted) and your global and
engagement-specific permissions.
If the review is in Draft status, the engagement's status shows as Review: Draft.
• The creator of the review can re-open it. This user sees a dialog where they can choose to continue editing the
draft review, or open the summary page for the live engagement in view-only mode.
• Other users land on a view-only engagement page for the live version of the engagement. An indicator at the
top of the page notes that a review is in process.
If the review has already been submitted, its status shows as Review: [phase name] - In Progress . In this case, all
users see a choice dialog. You can navigate to the ongoing Review or the current Live Version of the engagement.
• Choosing Review brings up the engagement page with the indicator Review - In Progress displayed at the top.
Actions you can take on this page depend on your permissions and role in the engagement.
• Choosing Live Version displays the current live version of the engagement. Because there is a review in
progress, this page is view-only for all users.
If a submitted review is currently being edited, the engagement's status shows as Review: In Edit.
• The original editor of the review can re-open it. This user sees a dialog where they can choose to continue
editing the review, or open the engagement page for the currently active (pre-edit) review. Possible actions
depend on the user's permissions and role in the engagement.
Tip
The editor can also access the live version of the engagement:
1. Choose the option to view the current active review.
2. From the engagement page, click the Engagement history link. The engagement history includes a link
to the live version of the engagement.
• Other users see a choice between navigating to the Review or the Live Version.
• Choosing Review brings up the engagement page for the pre-edit version of the review, with the indicator
Review - In Progress displayed at the top. While the review is In Edit, due diligence activities associated
with the review can continue. Actions you can take on this page depend on your permissions and role in the
engagement.
• Choosing Live Version displays the current live version of the engagement. Because there is a review in
progress, this page is view-only for all users.
Prerequisites
• You must be a member of the Supplier Risk Engagement Governance Analyst user group
• The review must not already have been started
Context
The periodic review to be skipped is the one identified by the Scheduled periodic review field in the summary area
of the engagement page.
The review must not already be in progress. In that case, you would first need to cancel [page 257] the in-progress
review, then skip it.
Procedure
2. In the upper right corner of the engagement page, choose Action Skip Review . A confirmation message
identifies the date of the review being skipped and requires you to enter a reason for skipping it.
3. Click Skip to confirm that you want to skip the review.
• If configured to generate the next periodic review date for engagements based on the Last periodic review
actual completion date: in this case there is no actual completion date. In its place the date calculation uses
the date the periodic review was skipped.
Related Information
When the creator of a draft review for a control-based engagement risk assessment project realizes it is not
needed, they can revert it. The engagement returns to its most recent live version.
Prerequisites
Context
You can revert a draft review at any point before it is submitted. This deletes the review. There is no record of it in
the version history.
In contrast, you can cancel [page 257] a review that is in progress. This reverts the changes but retains history
information.
Results
The control-based engagement risk assessment project returns to Completed status. You can view it on the
Completed tile of the Engagement Requests dashboard.
There is no record of the reverted draft review in the version history list for the engagement.
If you revert a periodic rather than an ad hoc review, the engagement is once again available for periodic review. The
engagement page still shows the same Scheduled periodic review dates as before.
Related Information
Prerequisites
Context
Procedure
2. In the upper right corner of the engagement page, choose Action Cancel review .
3. A confirmation message requires that you enter a reason for canceling. Click Yes to confirm that you want to
cancel the review.
4. A second confirmation message reminds you that the engagement will return to its current live version. Click
Yes again to complete the cancelation.
Results
The engagement returns to Completed status. You can view it on the Completed tile of the Engagement Requests
area.
Pending Tasks are deactivated and displayed in the Withdrawn tasks tab on the engagement summary page. For a
periodic review, this includes any pending tasks for the Additional Periodic Review Activities phase.
Any assessment evidences already received from suppliers, and any related control review decisions, are
retained.
• If the canceled review of this engagement request was the only reason for sending the assessment to this
supplier, it is deactivated and the supplier can no longer submit a response.
• If the assessment is still required for an engagement request other than the one whose review has been
canceled, the supplier can still submit evidence for that assessment.
Appropriate notifications are sent to stakeholders, reflecting the withdrawn tasks and canceled review.
When you cancel a periodic review, the engagement is once again ready for and still requires a periodic review,
unless a governance analyst user skips [page 255] it.
The cancelation does not change the engagement's Scheduled periodic review dates.
Related Information
A member of the Change Request Owners project group for an engagement can edit an ongoing (submitted)
periodic or ad hoc review to add or change details.
Prerequisites
• You must be a member of the Change Request Owners project group and of the Supplier Risk Engagement
Requestor user group.
• There must be a review in progress for the engagement.
• The review must not be in Draft status; in this case the engagement status would be Review: Draft. A draft
review can be changed, but only by its original creator.
• When a review is in progress, the status of the engagement is like Review: [phase name] - In Progress.
• The engagement must not be in Review: In Edit status with a different user. If a review was saved during the
edit process, editing of that review can only be continued by the original editor.
You can edit an engagement review at any point before completion, including reviews that were denied.
The engagement changes to status Review: In Edit until the edit is submitted. While an engagement is in Review: In
Edit status:
Procedure
3. In the upper right corner of the engagement page, choose Action Edit review . A confirmation message
lists general rules of the editing process, and requires entry of Reason text to continue.
Note
If an edit of this review is already in progress, the Edit review option is disabled.
4. Use the Next and Back buttons to navigate to different steps of the review and edit information as needed.
When editing a previously submitted review:
• Changes to business details may cause screening questions to be added or removed. When you click Next
after making such changes, business detail changes are saved and the number of questions added and
removed is noted on the Inherent Risk Screening Questions page.
• Changed answers to the Inherent Risk Screening Questions may cause risk controls to be added or
removed. When you click Next, changes are saved and the number of controls added and removed is noted
on the supplier selection page.
• You cannot change the supplier as part of a change request or an edit to a change request. Click Review
request to move on to the Review Request page.
• Each section of the Review Request page highlights additions and changes. The two columns compare the
values for the original, previously completed engagement to the edited version of the review.
5. If you need to exit an In Edit review without submitting it, you can:
• Choose Save at any point to save your changes without submitting. The review is included in the list of
Completed engagements, with status Review: In Edit.
• The original editor of the review can return to Step 1 and re-open the engagement, choosing the option
to continue the Edit.
• Other authorized users can view an engagement whose status is Review: In Edit, and complete tasks
other than Send Assessments in the review due diligence workflow, but they cannot take over the
editing.
Remember
When editing a review, the Review Request page compares the edited review to the current live version
of the engagement. This comparison determines whether the confirmation step indicates changes to the
business details and inherent risk screening questionnaire.
7. Click Submit review. The Submit review dialog provides three choices of action:
a. If you are comfortable with the review in its current state, select the checkboxes confirming that you have
reviewed the business details and inherent risk screening questionnaire, and click Submit. The attestation
here is to the net change between the current live version of the engagement and the edited version of the
review.
Example
In the original review, you changed the answer to just one business details question. After submitting,
you edit the review to change it back to the original response. The net would be no change to the
business details.
Caution
After submitting a edited review, there is no option to roll back to an earlier version of the review.
b. To return to the draft review, click Cancel to return to the editing pages. This preserves the changes you
had already made and allows you to adjust them.
c. To start over, click Start from the beginning to undo all changes for the review. This returns you to the
editing pages as if you had just clicked Edit review.
Results
Submitting the edited review may trigger adjustments to the approval phases, tasks, assessments, and controls.
This depends on a comparison of the changes between the live version of the engagement, the pre-edit review,
and the edited review.
The final version of the review, the version that is ultimately completed, is tracked in the engagement history [page
130]. Individual instances of editing a review are not tracked in the history.
Related Information
Prerequisites
To archive a control-based engagement risk assessment project, you must be a member of its Project Owner
project group or the Supplier Risk Engagement Governance Analyst global user group.
Context
Archiving an engagement risk assessment project closes it permanently to all further activity, including change
requests. There is no way to un-archive an archived project, so only archive a project when you are sure that it no
longer requires any further action.
In the simple archiving workflow, archiving an engagement risk assessment project is a single operation. If your site
uses the advanced archiving workflow, see How to Archive a Control-Based Engagement Risk Assessment Project
(Advanced Workflow) [page 263].
Procedure
1. Click the Engagement requests link on the Supplier Risk dashboard, click the Completed tile, locate the
engagement, and click its name.
The engagement risk assessment project is now in Archived status. It continues to show on the Completed tile.
You can no longer create change requests for it or add it to new contracts in sites that include SAP Ariba Contracts.
If the project was previously added to contracts in sites that include SAP Ariba Contracts, it continues to show in
those contracts with the updated Archived status.
Related Information
How to Archive a Control-Based Engagement Risk Assessment Project (Advanced Workflow) [page 263]
The Control-Based Engagement Risk Assessment Process [page 114]
Viewing and Managing Control-Based Engagement Risk Assessment Projects [page 120]
Control-Based Engagement Risk Assessment Status Flow [page 267]
Prerequisites
To request or complete archiving of a risk assessment project, you must be a member of its Project Owner project
group or the Supplier Risk Engagement Governance Analyst global user group.
The engagement archiving feature and the advanced archiving workflow must be enabled in your site. If your site
does not use the advanced archiving workflow, see How to Archive a Control-Based Engagement Risk Assessment
Project (Simple Workflow) [page 262].
To request archiving, the project must be in Completed status. To complete archiving, the project must be in
Archive Pending status.
Context
Archiving an engagement risk assessment project closes it permanently to all further activity, including change
requests. Archived engagement risk assessment projects also cannot be added to contracts in SAP Ariba
Contracts. In the advanced archiving workflow, you can cancel archiving [page 265] while it is still in progress,
but there is no way to un-archive an archived project.
If this is the first archiving request for the project, requesting archiving shows the tasks in the archiving workflow
on the engagement page for the first time. If archiving was previously requested and then canceled for the project,
requesting archiving restarts the previously withdrawn tasks and moves them back to the Pending tasks tab.
Restarted approval tasks retain any previously added ad hoc approvers. Supplemental engagement questionnaires
associated with restarted To Do tasks show their previous answers, which task owners can update in this round.
Procedure
1. Click the Engagement requests link on the Supplier Risk dashboard, click the Completed tile, locate the
engagement, and click its name.
The project moves to In Progress status for the archiving phase and the archiving workflow starts. Once task
owners complete their tasks and the archiving workflow is completed, the project moves to Archive Pending
status.
Results
The engagement risk assessment project is now in Archived status. It continues to show on the Completed tile.
You can no longer create change requests for it or add it to new contracts in sites that include SAP Ariba Contracts.
If the project was previously added to contracts in sites that include SAP Ariba Contracts, it continues to show in
those contracts with the updated Archived status.
Related Information
How to Archive a Control-Based Engagement Risk Assessment Project (Simple Workflow) [page 262]
How to Cancel Archiving of a Control-Based Engagement Risk Assessment Project [page 265]
Control-Based Engagement Risk Assessment Status Flow [page 267]
The Control-Based Engagement Risk Assessment Process [page 114]
Prerequisites
To cancel archiving for a risk assessment project, you must be a member of its Project Owner project group or the
Supplier Risk Engagement Governance Analyst global user group.
The engagement archiving feature and the advanced archiving workflow must be enabled in your site.
To cancel archiving, the project must be in In Progress status for the archiving phase or in Archive Pending status.
Context
Archiving an engagement risk assessment project permanently closes it to further activity, including change
requests. There is no way to unarchive an archived project. If the archiving is still in progress or pending, however,
you can cancel it.
Procedure
1. Click the Engagement requests link on the Supplier Risk dashboard, click the Completed tile, locate the
engagement, and click its name.
Results
The engagement risk assessment project returns to Completed status and is now open to further activity through
change requests in sites that use them. In sites that include SAP Ariba Contracts, the project can continue to be
added to new contracts.
Next Steps
If the project is ready to archive at any point in the future, you can request archiving again..
Related Information
How to Archive a Control-Based Engagement Risk Assessment Project (Advanced Workflow) [page 263]
Control-Based Engagement Risk Assessment Status Flow [page 267]
The Control-Based Engagement Risk Assessment Process [page 114]
Prerequisites
• To copy an engagement risk assessment project to a new engagement request, you must be a member of the
Supplier Risk Engagement Requestor group.
• Only active suppliers are eligible for supplier engagement.
Context
The engagement request is the first step in a control-based risk assessment project to analyze and document
the risks involved with the engagement. Both the business details and inherent risk screening questionnaires in
an engagement request can contain a large amount of detailed information about an engagement. To request a
new engagement with similar characteristics, you can copy an existing project instead of creating a new request
and filling out the business details and inherent risk questionnaires again from scratch. If an engagement risk
When copying an existing engagement risk assessment project to a new request, the first two steps of the request,
the business details questionnaire and the inherent risk questionnaire, are copied from the existing project. You can
then edit those questionnaires as needed. The copied engagement request does not retain the supplier from the
original engagement risk assessment project, if any, and you must complete the supplier selection and review steps
of the copied request and submit it just as you would any other new engagement request.
Currently, the copied request is based on the version of the template used by the engagement project from which it
is copied, rather than from the most recent version of the template.
You cannot copy an engagement request that was created from a non-catalog purchase. When you open such an
engagement:
• A message at the top of the engagement page indicates it is linked to a purchase requisition.
• The option for Action Copy request is not available.
Procedure
The new, copied engagement request has the name Copy of <original engagement risk assessment project
name> and includes the date and time when you copied it.
4. Finish creating the new engagement request, editing the copied answers in the business details and inherent
risk screening questionnaires as needed.
A requester has answered questions in Draft > Filter Questions Saved Draft
the first step of creating a new engage-
ment request (the business details ques-
tionnaire) and has saved the request
without proceeding to the second step.
A requester has answered questions in Filter Questions Saved > Filter Draft
Questions Submitted
the first step of creating a new engage-
ment request (the business details ques-
tionnaire) and has proceeded to the sec-
ond step.
A requester has answered questions Filter Questions Submitted > Screening Draft
in the second step of creating a new Questions Saved
engagement request (the inherent risk
screening questionnaire) but and has
saved the request without proceeding to
the third step.
A requester has chosen a supplier for a Screening Questions Submitted > Draft
new engagement request and proceeded Supplier Selected
to the review step, then exited the re-
quest without submitting it.
A requester has completed a new en- Supplier Selected > Submitted Draft > Submitted
gagement request and submitted it, but
the template does not define an approval
flow for it
A user has completed a new engagement Supplier Selected > Submitted Draft > [request approval]: In Progress
request and submitted it, and it has a
[request approval] here is the name of
template-defined approval flow.
the Request Approval phase in your
site's supplier risk engagement template.
An approver has denied the engagement Submitted > Request Denied [request approval]: In Progress >
Request Denied
request.
[request approval] here is the name of
the Request Approval phase in your
site's supplier risk engagement template.
Approvers have finally approved the en- Submitted > Pending Assessment [request approval]: In Progress > [trig-
gagement request. ger evidence and control process]: In
Note Progress
If you're using the basic appro- [request approval] here is the name of
val workflow, after completing the the Request Approval phase in your
Request Approval phase, the en- site's supplier risk engagement template.
gagement request moves immedi-
[trigger evidence and control process]
ately to Completed status.
here is the name of the Trigger Evidence
and Control Process phase in your site's
supplier risk engagement template.
The responsible user has completed the Pending Assessment > In Assessment [trigger evidence and control process
To Do task for sending any assessments trigger]: In Progress > [evidence collec-
for required open controls. tion]: In Progress
All respondents have submitted assess- In Assessment > Pending Risk Control [evidence collection]: In Progress > [con-
ments for the open controls and the as- Decision trol effectiveness review]: In Progress
sessments have been approved.
[evidence collection] here is the name of
the Evidence Collection phase in your
site's supplier risk engagement template.
Control owners have reviewed all open Pending Risk Control Decision > [control effectiveness review]: In
controls for the engagement and either Pending Final Approval Progress > [engagement approval]: In
marked their effectiveness or, if the site Progress
is configured to allow this, skipped the
[control effectiveness review] here is the
control review.
name of the Risk Control Effectiveness
Review phase in your site's supplier risk
engagement template.
An approver has denied the engagement. Pending Final Approval > Request [engagement approval]: In Progress >
Denied Request Denied
Task owners and approvers have com- Pending Final Approval > Completed [engagement approval]: In Progress >
pleted any tasks related to final ap- Completed
proval of the engagement and have fi-
[engagement approval] here is the name
nally approved it, and your organization's
of the Project Approval phase in your
engagement risk assessment process
site's supplier risk engagement template.
does not include a post-project approval
phase.
Task owners and approvers have com- Pending Final Approval > Completed [engagement approval]: In Progress >
pleted any tasks related to final appro- [post-project approval]: In Progress
val of the engagement and have finally
[engagement approval] here is the name
approved it, and your organization's en-
gagement risk assessment process in- of the Project Approval phase in your
cludes a post-project approval phase site's supplier risk engagement template.
A member of the engagement risk as- Completed [post-project approval]: In Progress >
sessment Project Owner group or the [engagement approval] Completed
Supplier Risk Engagement Governance
[post-project approval] here is the name
Analyst global user group has canceled
the post-project approval phase. of the Post Project Approval phase in
your site's supplier risk engagement tem-
plate.
Task owners and approvers have com- Completed [post-project approval]: In Progress >
pleted all tasks in the post-project appro- [engagement approval] Completed
val phase.
[post-project approval] here is the name
of the Post Project Approval phase in
your site's supplier risk engagement tem-
plate.
(Simple archiving workflow) A member Completed > Archived Completed > Archived
of the engagement risk assessment
Project Owner project group or the
Supplier Risk Engagement Governance
Analyst global user group has archived
the project.
(Advanced archiving workflow) A mem- Completed Completed > [project archiving phase] -
ber of the engagement risk assessment
In Progress
Project Owner project group or the
Supplier Risk Engagement Governance [project archiving phase] here is the
Analyst global user group has requested name of the Project Archiving phase in
archiving for the project.
your site's supplier risk engagement tem-
plate.
(Advanced archiving workflow) Task own- Completed [project archiving phase] - In Progress >
ers and approvers have completed all
Archive Pending
tasks in the project archiving phase.
[project archiving phase] here is the
name of the Project Archiving phase in
your site's supplier risk engagement tem-
plate.
(Advanced archiving workflow) A mem- Completed > Archived Archive Pending > Archived
ber of the engagement risk assessment
Project Owner project group or the
Supplier Risk Engagement Governance
Analyst global user group has completed
the archiving of the project.
Prerequisites
To run the Risk Control Summary report, you must be a member of the Supplier Risk Manager, Supplier Risk
Engagement Governance Analyst, or Supplier Risk Engagement Expert group.
Context
The Risk Control Summary report is a Microsoft Excel file with the following fields:
• Engagement ID
• Engagement request
• Supplier ID
• Supplier
• Project owner
• Requested by
• Requested on
• Engagement status
• Risk type
• Control ID
• Control name
• Control type
• Service id
• Service display name
• Control owner
• Decision maker
• Control status
• Control expiry
• Control Status imported, which is a flag indicating whether the control status was set manually by a review
(False) or using a control status data import (True)
For service controls, the report includes a separate row for each service in the control review.
Procedure
• Choose one of the preset filters (Last 7 Days. Last 30 Days), Last 3 Months, or Last 6 Months).
• Choose Custom range and use the calendars to choose from and to dates for the custom date range.
5. Click Apply.
6. Click Generate report.
7. Once your report has generated, click View reports to download the report.
Related Information
Exporting Data and Running Reports on Supplier Risk and Related Activities [page 307]
Analytical Reporting for Control-Based Engagement Risk Assessment Projects [page 275]
Prerequisites
To run the Engagement processing error report, you must be a member of the Supplier Risk Manager or
Supplier Risk Engagement Governance Analyst user groups.
• Manage user interactions during send assessments processing [page 388]: with this parameter enabled, the
report contains information about errors that occur during processing of the Send Assessments task.
• Manage user interactions during update processing [page 389]: with this parameter enabled, the report
contains information about errors that occur during processing of a new, edited, or canceled engagement
request, change request, or review.
These parameters are enabled by default. If a Customer Administrator has disabled one or both, the engagement
data corresponding to that parameter is not saved and therefore cannot be displayed in this report.
Context
The Engagement processing error report includes the following fields. By default it is in (descending) error ID
sequence, so that the most recent error is at the top.
Related Information
You can create reports based on the following reporting facts to see data on engagement risk assessment and issue
management projects, tasks, and questionnaires:
SR Project Questionnaire Response All survey documents in risk assessment and issue manage-
ment projects, including:
SR Project Task Approval Flow The details for approval and review flows in approval and
review tasks in engagement risk assessment and issue man-
agement projects. It is particularly useful for identifying bottle-
necks in approval processes.
In reports based on this fact, you can analyze approval and re-
view activity by task names, start dates, end dates, the names
of associated projects, approvers by name or group, the dates
on which task nodes become active and approvers have acted,
any comments they provide during approval, engagement re-
quest status, and so on.
Note
Analytical reporting on the modular supplier management questionnaire projects used as assessment
questionnaires in control-based engagement risk assessment projects is not supported.
You must have the appropriate permission to run or create analytical reports. The following table provides a quick
reference for where to find information about SAP Ariba analytical reporting:
To Do This... See...
Run a report that you or another person at your organization Running Analytical Reports
has created
Tip
To see the reports that other people in your organiza-
tion have created and made publicly available, choose
Manage Public Reports .
Understand the data that is available in different reporting Reporting Fact Reference
facts and how multi-fact reports on any combination of SR
Project, SR Project Task, and SR Project Task Approval Flow
data work
Learn which user groups grant reporting permissions Strategic Sourcing and Supplier Management Group Descrip-
tions
Keep in mind the following tips when running or creating analytical reports for control-based engagement risk
assessment and issue management projects, tasks, and questionnaires:
• You can create reports that include combinations of SR Project, SR Project Task, and SR Project Task
Approval Flow data. You cannot create reports that combine SR Project Questionnaire Response or SR
Project Survey Response data with data from other reporting facts.
• Every analytical report must include at least one measure (data field), which you add in the first step of the
reporting wizard.
• If you want a report that simply lists all of the data in rows, add fields to the Detail Fields area of the pivot
layout and check Show detail fields in report. On the report pivot table, you can also switch between detail and
aggregate views by clicking the data menu.
Related Information
Modular questionnaires are projects that maintain discrete sets of related information, such as certificates,
risk assessments, or policy, compliance, audit, or other information about suppliers or engagement risk. They
can function independently or serve as components in a larger process such as a process qualification or an
engagement risk assessment.
Modular questionnaires are the recommended way to collect supplier certificates. They include some special
features for certificate management, including features for managing expiring and expired certificates.
About the Questionnaires Area in the Supplier 360° Profile [page 280]
Requesting an Update or Changing the Recipient for a Modular Questionnaire [page 287]
Viewing Modular Questionnaire Projects Based on Previous Template Versions After Template Upgrade [page
297]
• See all of the modular questionnaire projects associated with the supplier, their statuses, and their expiration
dates. If a questionnaire is scored and the recipient has submitted answers, the overall score shows on the
Questionnaires tab.
• View details about the modular questionnaire project, including workflow progress and any included internal
forms.
• Fill out and submit internal modular questionnaires included in process projects, if you're the questionnaire's
recipient.
• Fill out and submit [page 293] internal forms included in modular questionnaire projects, if you're the project
owner or the owner of an associated To Do task.
• Request an update or change the recipient [page 287] of a modular questionnaire.
• Complete any stand-alone To Do tasks for any questionnaires or internal forms in a modular questionnaire
project to which you've been assigned.
• Approve or deny [page 291] a questionnaire if you're in its approval flow.
• Approve or deny [page 296] an internal form if you're in its approval flow.
• View completed tasks by choosing the view icon ( ).
If a modular questionnaire project only includes a questionnaire, viewing it directly opens the questionnaire details
page with questions, answers, and version history. If the process project feature (SM-16798) is enabled in your site,
questionnaire details for the project or key questionnaire also include a summary of the process projects in which
the questionnaire is included.
If a modular questionnaire project also includes internal forms, viewing it opens the questionnaire project details
page.
• A Questionnaires table with the project's key questionnaire and internal forms. View a questionnaire or
form to open its questionnaire details page, which shows questions, answers, and version history. In these
questionnaire details pages, comment history shows all comments for all tasks associated with both the key
questionnaire and all internal forms in the current phase of the project.
The Questionnaires table doesn't show scores or score band indicators for questionnaires or forms with
scoring. However, scores and score band indicators do show on individual questionnaire details pages.
• A Tasks table with the project's tasks. Viewing a task from this table shows the standard task details page
with questions, answers, and version history for the questionnaire or form associated with the task. In the task
details page, comment history shows only comments for the current task.
If a modular questionnaire project includes internal forms, the internal forms don't show on the Questionnaires
tab but the project's key questionnaire does. Tasks for internal forms show on the Tasks tab. To see an internal
form in a modular questionnaire project, view the key questionnaire for the project or a task associated with the
form.
Related Information
Any internal or external supplier management questionnaire can include certificate questions. The Certificates
area of a supplier 360° profile shows all of the certificates associated with a supplier that were collected in
approved questionnaires or questionnaire updates. Each certificate has a summary with the certificate name,
expiration date, and a status of Valid, Expiring, or Expired.
To show in this area, certificates must be collected using either of the following methods:
In either case, the questionnaire must be approved. The Certificates area doesn't show certificates that were
added in denied questionnaires or questionnaire updates.
• Search for a certificate by entering the certificate type in the search bar. You can enter all or part of the type to
start the search.
• Filter certificates by any combination of type, status, effective date, whether or not the certificate has expired,
and the commodities, regions, and departments to which it applies. After selecting one or more filter values in
the filter popup, choose Apply to apply them to the Certificates area. To clear filters, in the filter popup, choose
Clear all, then choose Apply.
• Sort certificates by last updated, recently expired, or oldest expired.
• Choose any certificate summary card to open complete certificate details, including links for downloading the
certificate attachment and opening the questionnaire where the certificate was collected. Certificate details
can include associated commodities, regions, and departments. However, that information is only valid for
certificates collected in modular questionnaires, which create a direct relationship between the commodity,
region, and department of the modular questionnaire project and its associated certificates.
Note
• SAP Ariba doesn't validate the details in certificate answers (effective date, expiration date, and so
on) against associated certificate attachments. Approvers are responsible for comparing the certificate
attachment to the details in the certificate answer to make sure that they match before approving the
associated questionnaire. Approvers can request additional information from the recipient to resolve any
discrepancies.
• If a questionnaire recipient submits a certificate with a past expiration date, the certificate's status can
show as Expiration in Progress for a short time before changing to Expired.
Certificates collected in modular questionnaires include some special features. A template creator in your site
sets up these certificate-related modular questionnaires, which can include both certificate and other types of
questions, usually for a specific subject. Some certificate-related modular questionnaires can ask for multiple
related certificates, while other questionnaires can ask for one critical certificate. A modular questionnaire
project can be applicable to all commodities, regions, and departments, or only to a specific combination, and
the certificates collected in it inherit that commodity, region, and department information from the modular
questionnaire. In addition to the expiration dates of individual certificates, the modular questionnaire project where
they're collected can also expire.
• Sending suppliers certificate questionnaires: you can ask suppliers to provide information about their
certificates by inviting them to fill out the relevant modular questionnaires. Depending on your site's solution
package, these certificate-related modular questionnaires can be stand-alone questionnaires, engagement risk
assessments, or included in a process project.
• Approving or denying certificate questionnaires: If you are an approver, you must review supplier answers
and approve or deny their certificate questionnaires [page 291] or questionnaire updates.
• Monitoring certificate status: In addition to viewing certificates in the Certificates area of the supplier 360°
profile, you can monitor certificates collected in modular questionnaire by:
Related Information
Prerequisites
To send stand-alone modular supplier management questionnaires, you must be a member of the SM Modular
Questionnaire Manager group.
To add, edit, or delete a supplier contact in the supplier 360° profile or when inviting a supplier to a questionnaire,
you must be a member of one of the following groups:
Context
You can invite multiple suppliers to fill out multiple stand-alone modular questionnaires in a single operation.
This invitation is for stand-alone questionnaires, meaning that the invitation isn't related to a specific supplier
management process. In sites that include SAP Ariba Supplier Risk, control-based engagement risk assessment
projects include modular questionnaires for specific risk controls. Invitations to risk assessment questionnaires
are part of the engagement project workflow. In sites where the process project feature (SM-16798) is enabled,
process projects include modular questionnaires that are applicable to the process's commodities, regions, and
departments, and questionnaire invitations are part of the process project creation or renewal workflow. Stand-
alone modular questionnaires are always external. Modular questionnaires in engagement risk assessment projects
or process projects can be either external or internal.
You can only send stand-alone modular questionnaire invitations to suppliers that have at least one supplier
contact with an associated email address. The primary supplier contact is the default recipient. However, the
modular questionnaire invitation process allows you to add missing contacts or choose different contacts while
sending the invitation. You can create two different supplier contacts with the same email addresses for a supplier
because the email addresses aren't case-sensitive. For example: you can create emailaddress@company.com
and Emailaddress@company.com.
If the feature for internal forms in modular questionnaires (SM-30222) is enabled in your site, modular
questionnaire projects can also include internal forms. The external questionnaire you send to the supplier is
the key or main questionnaire in the project, and you or another person in your organization fill out and submit
[page 293] the included internal forms as well.
Procedure
Tip
By default, the Questionnaire page shows 10 modular supplier management questionnaires at a time. You
can use the Show more control on this page to append 10 more questionnaires. Each time you click Show
more, 10 more rows are appended to the list.
3. Choose Apply.
The Questionnaire page displays all the questionnaires that meet your filter criteria.
Tip
• To search for suppliers to invite, enter a name in the search field or filter the supplier list by choosing
Filters, selecting filters in the navigation pane of the More Options popup, choosing filter values, and
choosing Apply.
• The Questionnaire Status filter helps you narrow down suppliers by the current status of the modular
questionnaire - for example, whether it has not yet been sent, has not been responded to, has been
approved, is pending submission, and so on. The available statuses to choose from are Not Sent, Not
Responded, Pending Submission, Submitted, Pending Resubmit, Pending Approval, Denied, Approved,
Expiring, and Expired. The filter results display only those suppliers that received the questionnaire
after the enhanced pagination and filtering functionality was enabled.
• Currently, choosing Select all selects the first 100 suppliers in the supplier list rather than all suppliers.
To invite additional suppliers beyond the first 100, you must select them individually.
• Each supplier you select is saved, even if the current search results don't show them. The filter list
above the search results shows the number of suppliers you've selected. If you want to remove a
previously selected supplier and it's not currently visible in search results, search for the supplier, then
deselect it.
6. Choose Next.
The confirmation page shows the Supplier good to go tile with a list of selected suppliers have contacts and
are ready for the invitation. There’s also a Supplier missing contact tile. If any of the suppliers you selected
don't have contacts, you can choose this tile to see them.
7. Optional: On the Supplier good to go tile, verify that the primary contact for each listed supplier is the person
you want to invite to fill out the questionnaires. If not, perform the following actions:
a. Choose Change contact.
b. Optional: If the person you want to invite isn't listed as one of the supplier's current contacts and you have
the required permissions, choose Add new contact and add a contact.
c. Select the contact you want to invite and choose Save.
8. If you added any suppliers that don't currently have contacts to the invitation and you have the required
permissions to add contacts, choose the Supplier missing contact tile and add a contact:
9. Choose Send.
Results
Each modular questionnaire you sent generates an invitation email to the supplier contact you specified. The
supplier contact can use the links in the emails to log in and fill out and submit the questionnaires.
• If you're an owner of the modular questionnaire project, you can now fill out and submit any forms that don't
have To Do tasks.
• Owners of To Do tasks for submitting internal forms receive notifications when their tasks become active in the
workflow for the modular questionnaire project.
If the questionnaire project is approved and it has an expiration schedule, you receive a notification when the
questionnaire project moves to Expiring status and another notification when it moves to Expired status.
Related Information
Prerequisites
To request an update or change a recipient for a modular questionnaire, you must be a member of the SM Modular
Questionnaire Manager, Supplier Risk Engagement Expert, or Supplier Risk Engagement Governance Analyst
group.
You can't request an update while the questionnaire is in Pending Submission or Pending Approval status.
Internal modular questionnaires are only available in SAP Ariba Supplier Lifecycle and Performance process
projects and in SAP Ariba Supplier Risk engagement risk assessment projects, where they're used as risk
assessments. Internal modular questionnaires can't be stand-alone projects.
Context
Modular questionnaires can allow continuous updates or permanently close after the submitted answers are first
approved or denied. However, even if a modular questionnaire doesn't normally allow updates, requesting an
update reopens the questionnaire so that the recipient can update it once.
• allows updates and is in approval or pending submission state, approvers can deny the questionnaire and then
the questionnaire owner can send it to a different recipient.
• doesn't allow updates, denial is permanent and the questionnaire owner can't send it to any other recipient.
If the modular questionnaire project also includes internal forms, you can request an update for or change the
recipient of the main or key questionnaire in the project. You can't request updates for or change recipients of
internal forms.
In sites where the process project feature is enabled, a process initiator who is also a member of the SM Modular
Questionnaire Manager group can also request a questionnaire update or change recipients when creating or
renewing a process.
Procedure
• For an internal questionnaire, choose the current recipient or search for and select a different recipient.
• For an external questionnaire, leave the current recipient selected, search for and select a different supplier
contact or (if you have permission to add supplier contacts) add a new contact and choose them as the
recipient.
4. Optional: Enter a comment about the update request or questionnaire reassignment.
5. Perform one of the following actions:
Results
The current or updated recipient receives an email notification inviting them to submit the questionnaire.
If the questionnaire is set up to generate reminders, requesting an update restarts the reminder schedule.
Questionnaire scores are useful because they apply uniform judgments. No matter who is filling out the
questionnaire, the same answers result in the same score. Approvers and other stakeholders don't have to guess
how acceptable or unacceptable the answers are because the scoring provides clear guidelines.
The Questionnaires area of the supplier 360° profile shows overall scores for questionnaires. If your organization
uses process projects, process details pages also show overall questionnaire scores. If a modular questionnaire
project includes internal forms, both the key or main questionnaire in the project and the internal forms can
have scores. However, the key questionnaire score is the project score and shows in the Questionnaires area and
process details page. Scores for any internal forms don't contribute to the overall questionnaire project score.
When you view a questionnaire or form's details page, the questionnaire or form score shows at the top of the page.
The questions and answer details include the score for each question and each section:
Questions with quantifiable (multiple choice or Yes/No) or numeric (number, date, or percentage) answers can be
scored, though they're not always. Questions with free text answers can't be scored.
• A numerical score that expresses, as a percentage, how many points the question, section, or overall
questionnaire has earned out of the total number of possible points. Questions, sections, and the questionnaire
itself have numerical scores.
An indicator of the scoring band into which the score falls. A scoring band is a grouping that applies a single
label to a range of scores. All scores within the range for a band receive the same judgment and the same label,
Note
For each scoring band, the scores equal to or greater than the lowest number in its score range up to but not
including the highest number in its score range fall within the band. For example, if a scoring band has a range
of 50-75, scores of 50 and 74 both fall within the band, but a score of 75 falls outside it.
In all cases, scores and band indicators are based on the most recently submitted answers.
Questionnaire scoring can involve complicated calculations about not only how desirable an individual answer is
relative to others, but how important the question is and how much significance or weight its section has. Some
questions, sections, or entire questionnaires involve critical requirements, while some are about more optional or
less critical information. Depending on the nature of the content, a numerical score of 30 can be unacceptable
in one case, marginal in another, and acceptable in a third. Moreover, the overall questionnaire score isn't a sum
of the score of its sections. Some sections contribute more to the overall score than others. Numerical scores by
themselves are difficult to interpret.
A score's band provides important context for the numerical score. Your organization can use different sets of
scoring bands for different types of information. For example, one set can include only two bands: "Failed" and
"Passed." Another set can include a larger number of graduated bands: "Bad," "Poor," "Average," "Good," and
"Excellent." The template creator in your organization who sets up scoring for a modular questionnaire applies a
specific set of scoring bands to the questionnaire and defines a score range for each band in the set so that you
have the appropriate guidance for interpreting the scores of that particular set of content. The template creator
can also apply different sets of scoring bands with different score ranges to different sections within the same
questionnaire to provide different guidance for those specific sections.
Example
For example, questionnaire or section A can include questions about regulatory compliance that are critical to
your organization. In this case, your organization can apply a strict yes-or-no judgment to the scores in this
questionnaire or section by using the set of scoring bands that include only a "Failed" band (score range of 0-70)
and a "Passed" band (score range of 70-100). Questionnaire or section B can include questions about less critical
regulatory compliance and your organization can apply a looser standard of judgment by using the set of scoring
bands that include "Bad" (0-20), "Poor" (20-40), "Average" (40-60), "Good" 60-80), and "Excellent" (80-100)
bands. In this example, both A and B can have a numerical score of 65. However, because of the different content
involved, a score of 65 means "Failed" in one section and "Good" in the other.
Context
New modular questionnaire projects have an approval flow defined by your organization. Depending on how a
modular questionnaire is set up, updates to the questionnaire can have the same approval flow, a different approval
flow, or can be approved automatically.
If modular questionnaire updates have approval flows, or if you've requested more information from the supplier,
the questionnaire details page shows the answers in both the latest version and previous versions so that you can
compare them.
If the feature for internal forms in modular questionnaire projects (SM-30222) is enabled in your site, modular
questionnaire projects can include one or more internal forms in addition to the main or key questionnaire
submitted by the supplier. Approval or denial of the key questionnaire is typically the last step in the workflow
for the modular questionnaire project. For information on approving internal forms, refer to Approving or Denying
an Internal Form in a Modular Questionnaire Project [page 296].
Note
Once an approver denies the key questionnaire in either a new external modular questionnaire project or
an update, the questionnaire project closes permanently. It remains permanently closed unless a user with
permission to work in the advanced view manually monitors the key external questionnaire and reopens it. This
action does reopen the project but doesn't automatically notify the supplier or form editors that they can now
update the external questionnaire and internal forms again. You can use the Request additional info option to
ask the supplier to provide more acceptable answers using automatic email notifications instead of explicitly
denying the modular questionnaire project and requiring a manual intervention to reopen it.
In sites that include SAP Ariba Supplier Risk, external modular questionnaires are associated with risk controls
in control-based engagement risk assessment projects, and a control decision-maker can't review a control for
effectiveness until all of its associated questionnaire projects are approved.
Procedure
The Previous Version column shows answers from the selected version. The Latest Version column continues
to show answers from the current update.
4. Perform one of the following actions:
• To approve the questionnaire, choose Approve, enter an optional comment, and choose Approve.
• To deny the questionnaire, choose Deny, enter an explanatory comment, and choose Deny.
• To request additional information from the respondent, choose Request Additional Info, enter a comment
explaining what information you want, and choose Request Additional Info.
Results
For new questionnaires, if you are the final approver, the status of the modular questionnaire project is now
Approved or Denied and the supplier is notified of that status by email. If not, the questionnaire project remains
in Pending Approval status until the final approval or denial. If you're the final approver and you approve the
questionnaire, and the questionnaire project is set up to allow updates, the questionnaire reopens so that the
supplier can update it. Any internal forms not associated with To Do tasks in an update phase also become
editable again. If you deny the questionnaire, the project closes permanently. The supplier can't update the external
questionnaire and internal forms editors can't update internal forms.
Any comments that you or other approvers added during questionnaire approval show on both the questionnaire
and approval task details pages, which you can see by viewing the questionnaire or task. Questionnaire details
pages show all comments for all tasks in the project, and you can filter them to just show the comments for the
current questionnaire. Task details pages show only the comments associated with the current task. Depending on
how your site's notifications are set up, approval comments can also be included in approval or denial notifications
to suppliers.
If your organization uses different phases to manage tasks for new questionnaires and questionnaire updates, the
questionnaire details page only shows comments for tasks in the current phase. When the questionnaire is new,
comments for tasks in the new questionnaire phase show. After a recipient submits the first questionnaire update,
only comments for tasks in the update phase show, and the comment history shows comments for all updates. If
the advanced view for the project is enabled and you have permission to view it, you can see comments for tasks in
the new phase by viewing task details on the Tasks tab of the advanced project view.
If you requested additional information during approval of an external questionnaire and entered a comment, the
supplier sees the most recent approval comment when they revise their response to the questionnaire.
Related Information
About the Questionnaires Area in the Supplier 360° Profile [page 280]
Comparing Different Versions of a Supplier Management Questionnaire
Requesting an Update or Changing the Recipient for a Modular Questionnaire [page 287]
Internal stakeholders of your organization can enter ratings in one or more internal forms or internal questionnaires
of a project. Ratings enable your organization to create a formal methodology by which you evaluate responses.
You use ratings to evaluate or "rate" the responses (on various parameters such as delivery, quality, service, price,
compliance, and so on). The final rating is a simple aggregation of all the individual ratings entered by internal users
in their respective internal forms or questionnaires.
These ratings are configured as questions in internal forms or internal questionnaires and can be included as
part of a modular questionnaire project. The project can include external or internal survey questionnaires of type
Questionnaire in addition to one or more internal forms of type Form.
For example, you may want to gather information on certain aspects related to mandatory environmental
compliance, and this project may have several different components. Different internal users can complete forms
in the same internal modular questionnaire project. Or you can have an external questionnaire asking a supplier
to provide information, and include several internal forms in the project so that internal users can provide a rating
of that information. The Total Rating field, if configured in the final form, displays the aggregate of all the ratings
entered by previous task owners in their respective forms.
This functionality is available for both internal and external modular questionnaire projects. To edit an internal form
in a modular questionnaire project, you must be either the project owner or the owner of an active To Do task on
that form.
Prerequisites
The internal forms in modular questionnaire projects feature (SM-30222) must be enabled in your site.
To fill out an internal form in a modular questionnaire project, you must be either the owner of a To Do task
associated with the form or the project owner. To Do task owners can only edit the form while the task is active.
A modular questionnaire project can include one or more internal forms in addition to its key questionnaire. The
key questionnaire is the "main" questionnaire in the project. The recipient of the key questionnaire shows as the
recipient for the entire questionnaire project, and can be a supplier contact (for an external modular questionnaire)
or someone in your organization (for an internal modular questionnaire).
Internal forms can have To Do tasks and approval tasks. If there's no To Do or approval task associated with an
internal form, filling it out is optional. If there's a To Do task associated with an internal form and you're a task
owner, you must submit the form to complete the task. If there's an approval task associated with an internal form,
you or someone else with edit permission must submit the form so that it can be approved and the project can be
completed.
An internal form is editable in the following circumstances as long as the project doesn't have a Denied status:
New From the time the questionnaire project is created until it fi-
nally approved, internal forms are always editable.
To Do task owners who aren't also the project owner can only
edit the questionnaire while the task is active.
Update After the questionnaire project has been finally approved, in-
ternal forms that don't have To Do tasks are always editable,
even if the key questionnaire doesn't allow updates.
If an approver denies any form or questionnaire in the modular questionnaire project, the project moves to Denied
status and all of its forms and questionnaires close to further updates.
If the owner of a To Do task on an internal form in a modular questionnaire project is a project group, all members
of that project group can potentially edit the form. The first project group member to submit the form and
complete the task then becomes owner of the completed task.
1. Locate the supplier on the Supplier Management dashboard and click their name.
2. In the navigation bar of the supplier 360° profile, choose Questionnaires.
3. Perform one of the following actions:
• If the form isn't associated with an active To Do task, or if it is but you aren't the task owner: On the
Questionnaires tab, click the name of the questionnaire project where the form is included to open its
details page. In the Questionnaires table, view the form, then choose Edit.
• If the form is associated with an active To Do task and you're a task owner: On the Tasks tab, locate the
task and act on it to open the task details page, where the form is automatically editable.
Tip
If the modular questionnaire project is included in a process project, you can also view the questionnaire
project by clicking its name on the process details page. From there, you can either view the form and
choose Edit from the Questionnaires table or act on an assigned To Do task from the Tasks table.
Choosing the Cancel option in the Edit page opens a dialog box. If you choose Confirm in the dialog box, you'll
lose all unsaved changes and be redirected to the previous page. If you choose Cancel in the dialog box, you'll
stay on the same page and can continue updating the form.
By default, only the process owner can edit internal forms and save them as drafts. However, the process
owner can request an update from a different recipient and invite them to update the form. The new recipient
can see the responses saved previously and can provide their own responses. The new recipient can also
overwrite previous responses if required, and save the draft again.
6. Perform one of the following actions:
Results
If the internal form has an approval task, that task starts and approvers approve or deny your answers.
Prerequisites
The internal forms in modular questionnaire projects feature (SM-30222) must be enabled in your site.
Context
Internal forms in a modular questionnaire project can have an approval flow defined by your organization.
Depending on how a modular questionnaire project is set up, updates to the form can have the same approval
flow, a different approval flow, or be approved automatically.
Note
Approval of the internal form doesn't directly affect the modular questionnaire project's status but is required
to complete the project workflow. Denial of the internal form moves the entire modular questionnaire project
to Denied status and closes it permanently. To reopen it, a user with permission to work in the advanced view
must manually monitor the project's key questionnaire and reopen it. You can use the Request additional
info option to ask the person who submitted the internal form to provide more acceptable answers instead of
denying the form and closing the project.
Procedure
1. Locate the supplier on the Supplier Management dashboard and click their name.
2. In the navigation bar of the supplier 360° profile, choose Questionnaires.
3. Choose the Tasks tab.
The Tasks tab only shows tasks to which you've been assigned.
4. Act on the approval task.
If you're approving a form update, to display only the questions with updated answers, choose Updated. To
display all answers, choose All. If the form has been updated multiple times, you can also compare current
answers with previous versions of the form.
• To approve the form, choose Approve, enter an optional comment, and choose Approve.
• To deny the form, choose Deny, enter a required explanatory comment, and choose Deny.
• To request additional information from the respondent, choose Request Additional Info, enter a comment
explaining what information or changes you want, and choose Request Additional Info.
Results
Any comments that you or other approvers added during form approval show on both the questionnaire details
page for the form and on the approval task details page, which you can see by viewing the form or task.
Questionnaire details pages show all comments for all tasks in the current phase for the project, and you can
filter them to show us the comments for the current form. Task details pages show only the comments associated
with the current task in the current phase.
If you're the final approver for the form, your approval completes the approval task and starts the next tasks in the
modular questionnaire project workflow. The project remains in Pending Submission or Pending Approval status,
depending on whether the recipient of the project's key questionnaire has viewed or submitted it.
If you denied the form, the modular questionnaire project moves to Denied status and all forms and questionnaires
in the project close to further edits.
Prerequisites
To access the advanced view of a project, you must be either a member of the SM Advanced View Access group or
the project owner or a member of the SM Ops Administrator group, depending on your site's configuration.
When template creators in your site changes one of your organization's modular questionnaire processes by
updating its project template, an administrator can upgrade the existing modular questionnaire projects that
were created from it to the newer template version. Each template upgrade creates a new modular questionnaire
project with the current project information and automatically archives the previous project based on the previous
template version. The template version menu on the shows all of the template versions that have been applied to
the modular questionnaire project, including the version number and the date on which the version was published.
This template version menu is available on the questionnaire details page (if the modular questionnaire project
includes just a questionnaire) or on the questionnaire project details page (if the modular questionnaire project
includes one or more internal forms in addition to the key questionnaire).
When you select a previous template version, the questionnaire details or project details page updates to show you
the previous, archived project based on that version. Differences in template version can include:
• Different process flow diagrams: The process flow diagram shows the process flow for the modular
questionnaire project based on the template version you select, including tasks and task owners or approvers
in that version.
• Modular questionnaire project status: A customer administrator in your organization can upgrade a modular
questionnaire project to the latest template version when it has a status of Not Responded, Denied, Expiring,
or Expired, or when it has Approved status and an update isn't in approval. The summary reflects the modular
questionnaire project status at the time of upgrade to the selected template version. For example, a modular
questionnaire project can have a current status of Approved for the current template version 3, but can be in
Expiring status for template version 2 and Not Responded status for template version 1.
• Different internal forms: If the feature for allowing internal forms in modular questionnaire projects
(SM-30222) is enabled in your site, modular questionnaire projects can include one or more internal forms
in addition to the key or main questionnaire sent to the recipient. Whether internal forms are included in a
modular questionnaire project, and which forms are included, can change with different template versions.
• Questionnaire and form contents: If the recipient hasn't submitted the questionnaire, or an internal form
editor or To Do task owner hasn't submitted a form, viewing it shows the contents for the selected
template version. Otherwise, questionnaire or form version history reflects changes to content across template
upgrades as well as changes to answers.
If you have permission to access the advanced view of a modular questionnaire project, you can use the template
version dropdown menu to access the advanced view of the selected template version. The advanced view also
includes the following information for the selected template version:
Procedure
1. In the Questionnaires area of the supplier's 360° profile, on the Questionnaires tab, view the questionnaire
project for which you want to see previous versions.
The questionnaire or project details page updates to show you the previous, archived modular questionnaire
project based on that version.
3. (Optional) To access the advanced view of the previous project associated with the selected template version,
click (advanced view).
Next Steps
If you're in the advanced view of a project that has a previous, archived project from a previous template upgrade,
the Previous Project field on the Overview tab shows its ID, and you can choose the ID to see that previous project.
Related Information
About the Questionnaires Area in the Supplier 360° Profile [page 280]
Comparing Different Versions of a Supplier Management Questionnaire
Action Status
The recipient has been invited to fill out the modular question- Not Responded
naire and sent a link where they can do so.
The recipient has opened but not submitted the modular ques- Not Responded > Pending Submission
tionnaire.
The recipient has submitted responses to the modular ques- Pending Submission > Submitted
tionnaire.
The approval process for the modular supplier management Submitted > Pending Approval
questionnaire has started.
An approver has asked the recipient for more information as Pending Approval
a condition of approving the modular supplier management
questionnaire.
The recipient has resubmitted more information for the mod- Pending Approval
ular supplier management questionnaire and it's back in the
approval process.
All of the approval tasks on all questionnaires and forms in the Pending Approval > Approved
modular questionnaire project have been finally approved.
An approval task in the modular questionnaire has been denied Pending Approval > Denied
project has been denied.
The recipient has submitted an update to a modular question- Approved, Expiring, or Expired > Submitted
naire.
The approval process for the modular supplier management Submitted > Pending Approval
questionnaire update has started.
An approver has asked the supplier for more information as a Pending Approval
condition of approving the modular questionnaire update.
The recipient has resubmitted more information for the modu- Pending Approval
lar supplier management questionnaire update and it back in
the approval process.
An approval task related to the current update has been de- Denied
nied.
For a new or updated questionnaire, reminder notifications for Approved > Expiring
an upcoming expiration have been sent in one of the following
circumstances:
One of the following expiration dates has passed in a new or Expiring > Expired
updated questionnaire:
Note
Modular questionnaire projects contain separate Questionnaire Status and Questionnaire Update Status
fields. For new questionnaires, these status changes occur in the Questionnaire Status field. Once the
recipient has updated the key questionnaire at least once, they occur in the Questionnaire Update Status
field.
Use a finding to document a supplier situation that might require remediation, a policy exception, or other special
handling. A finding can be associated with a supplier in general, or with a specific engagement request.
Users initiate findings from within SAP Ariba Supplier Risk. The findings exist within Finding and Event
Collaboration on the SAP Business Technology Platform. This provides you a central launch point for collaborating
with business partners on risks, opportunities and action items.
Creating a Finding
Use a finding to document a supplier situation that might require remediation, a policy exception, or other special
handling. A finding can be associated with a supplier in general, or with a specific engagement request.
Prerequisites
Your site is set up to allow creating findings. Sites can allow creating issues or findings, but not both.
Your user must have appropriate permissions: belong to an appropriate group or, in the case of an engagement-
specific finding, have a specific role in the engagement.
• For a general finding, not associated with an engagement, your user must belong to one of the following user
groups:
• Supplier Risk Engagement Requestor
• Supplier Risk Engagement Expert
• Supplier Risk Engagement Analyst
• Supplier Risk Engagement Governance Analyst
• For an engagement-level finding: if your user has access to the engagement, you can create a finding for it.
• For a finding associated with a vendor- or engagement-level control: if your user has access to the engagement,
you can create findings associated with controls of these types.
• For a finding associated with a service on a service-level control: your user must be a decision maker for the
control.
Context
You can create a finding associated with an engagement request, or a more general finding concerning a supplier.
Procedure
a. When you choose Action Create finding or click the Create finding button, a new browser window
opens where you can enter information about the new finding. The Supplier, Commodities, Regions, and
Departments are already filled in according to the values for the engagement.
b. Enter other attributes for the finding and optionally add an attachment. For more information about the
attributes, see Finding Attributes in the Finding and Event Collaboration User Guide.
c. Create the finding.
• Choose Submit to submit the finding.
• Choose Cancel to save the finding without submitting. The finding status is now Draft.
Either choice opens the Finding and Event Collaboration dashboard. You can close this window to exit.
Any contacts associated with the selected supplier are available to add as external team members. There is no way
to update the list of contacts in the finding after its creation.
Next Steps
To view a finding, you must have access to it as its creator (for a Draft or New finding) or as a user with a role in the
finding such as Finding Response Coordinator.
You can view a finding to which you have access in several ways.
• Click the Findings tile on the Supplier Risk dashboard. This lists both general findings and findings specific to
an engagement or risk control.
In the list, check if any finding is in the New status with an error. You can troubleshoot such a finding, so
that it moves to the In Validation status and is available to the finding management team to work on. For
troubleshooting instructions, see Troubleshooting a Finding Stuck in the New Status.
• The Findings table on the Engagement requests tab of the Supplier 360° shows all findings for that supplier,
both general and engagement- or control-specific.
• The Findings table on the engagement page shows all findings for that engagement.
• On the Control details or Control review page:
• Locate the finding in the Findings tab of the control page for a vendor- or engagement-level control.
• In the list of services for a service-level control, the Findings column contains a link if your user has
permission to open a finding for that service.
Related Information
Prerequisites
Your site must allow creating findings. Sites can be set up to allow creating issues or findings, but not both.
For a Draft or New finding, your user must be the creator of that finding.
• Finding Validator
• Finding Analyzer
• Finding Response Coordinator
• Finding Acknowledger
Context
If the findings feature is not enabled on your site, or if there are no findings relevant to you, the Findings tile is not
visible on the dashboard.
Procedure
Results
The Finding and Event Collaboration dashboard is displayed, showing the list of findings. The list also displays
errors, if any, for the findings.
Next Steps
• You can narrow your search for specific findings, as described in Searching for Findings.
• You can troubleshoot any finding you created that has remained in the New status with an error. For
instructions, see Troubleshooting a Finding Stuck in the New Status.
You can use supplier risk data from exports or analytical reports to help meet regulatory requirements and track
your organization's risk-related activities. SAP Ariba Supplier Risk provides several different tools for reporting on
or exporting the data in your site.
Control-based engagement risk assessment project data Use the Supplier Risk Engagements API to get control-based
engagement risk assessment project data. The API gets the
data for engagements, issues, and modular questionnaires.
Control-based engagement risk assessment and associated Use SAP Ariba analytical reporting tools. Refer to Analytical
issue management projects, project tasks, and approval flows Reporting for Control-Based Engagement Risk Assessment
and engagement request and issue details questionnaire con- Projects [page 275]. You can export analytical reports as Mi-
tent crosoft Excel workbooks or CSV files.
The new, in progress, or completed engagement risk assess- On the Supplier Risk dashboard, click Engagement Requests,
ment projects you have permission to view, including project then click the New Requests, In Progress, or Completed tile.
name and ID, requester, status, and assessments Above the engagement table, click the download icon . The
export includes the engagements that show in the table based
on current filters.
The engagement risk assessment issues you have permission On the Supplier Risk dashboard, click Issues. In the upper
to view, including issue name, status, and assignee, engage- right corner of the My Issues page, click the download icon .
ment name, and associated risk controls The export includes the issues that show in the table based on
current filters.
Risk control activity, including which controls are required for Generate the Risk Control Summary Microsoft Excel report.
different engagements, their status, control owners and deci- Refer to How to Run the Risk Control Summary Report [page
sion makers, and associated assessment questionnaires 272].
Suppliers
Current supplier search results, including supplier name, ERP On the Supplier Risk dashboard, search for suppliers. In the
vendor ID, address, enrichment status, and risk exposure upper right corner of the search results page, click the down-
load icon .
The suppliers you follow On the Supplier Risk dashboard, in the upper right corner of
the Your suppliers area, click the download icon . The ex-
port includes the suppliers that show in your followed suppliers
table based on current filters.
The compliance and custom field data added to the suppliers Generate the Risk Category Information API Microsoft Excel
you monitor when using the Risk Category Information API for report. Refer to Running the Risk Category Information API
Supplier Risk Exposure Report.
The licensed third-party provider activity for the suppliers you Generate the Licensed Provider Summary Microsoft Excel re-
submitted for evaluation in your realm port. Refer to Running the Licensed Provider Summary Report.
Your suppliers' overall and category risk exposure Use the Risk Exposure API to get the overall and category risk
exposure for the suppliers you monitor in SAP Ariba Supplier
Risk.
The overall risk exposure, if the risk exposure override was Generate the Risk Exposure Summary Microsoft Excel report.
used, category risk exposure, and risk levels for the suppliers Refer to Running the Risk Exposure Summary Report.
you follow
Supplier risk activities, including suppliers followed and alerts Generate the Supplier Risk Summary Microsoft Excel report.
received, for all users in your site Refer to Running the Supplier Risk Summary Report.
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
How to Request a New Engagement in a Legacy Risk Assessment Project [page 314]
How to Add Approvers to a Legacy Engagement Request or Risk Assessment [page 316]
How to Raise an Issue for a Legacy Engagement Risk Assessment [page 321]
How to Define, Analyze, or Resolve a Legacy Engagement Risk Issue [page 323]
How to Add Approvers or Reviewers to a Legacy Engagement Risk Issue [page 325]
How to Send Additional New or Resend Previously-Sent Legacy Engagement-Level Risk Assessments [page
329]
Supplier or Third-Party Legacy Risk Assessment Project Status Flow [page 335]
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
Some engagements might not need a risk assessment; others, such as consulting engagements that involve access
to confidential information or company networks or facilities, might require stringent risk assessments.
1. Requesting the engagement and inherent risk assessment: A user in your company who wants to engage
with a supplier or other third party requests a new engagement risk assessment by creating an engagement
request and filling out the engagement request form. This form typically asks detailed initial questions about
the engagement's inherent risk factors both in general and in different risk domains. Depending on its setup, it
might or might not ask the requester to specify the supplier or third-party at this stage. Approvers review the
engagement request, particularly information related to inherent risk, and approve or deny it.
2. Sending detailed engagement-level risk assessments: Once the engagement request is approved, the
governance expert assigned to review the inherent engagement risk sends risk assessments to internal
stakeholders and (if applicable) suppliers or other third parties. Before doing so, the governance expert can
either specify the engagement's supplier for the first time, or change the supplier specified in the request
to a different supplier, depending on the answers in the request. Typically, some of the risk assessments are
specific to the inherent risk domains identified in the request, such as IT, finance, or governance. The recipients
fill out and submit responses to these risk assessments.
3. Responding to risk assessments: Recipients are notified of the assessments they need to fill out. Internal
stakeholders fill out their risk assessments on the engagement page in SAP Ariba Supplier Risk. Supplier
contacts fill out risk assessments on Ariba Network for Suppliers.
4. Evaluating and approving risk assessments: Depending on how your company's assessments are set up, a
residual risk score might be calculated for each assessment based on submitted answers. Approvers evaluate
the answers and the score and approve or deny the risk assessments. If an approver denies at least one of its
risk assessments, the engagement is denied. If approvers approve all of the risk assessments, the requester
can engage with the supplier or third party to fulfill the engagement's purpose.
A governance expert can send out all of the risk assessments for an engagement at the same time; therefore,
no matter how many risk domains are affected by the engagement, or how many experts are specified as
assessment recipients, all applicable risk assessments start at the same time. If it becomes apparent that
additional assessments are needed, a governance expert can then send them out as required at a later time.
In some cases, an engagement might not require engagement-level risk assessments. If your site is configured
to automatically skip assessments for engagements with no recommended assessments, those engagement
automatically moves from the approved request to Completed: Assessments skipped automatically status.
The governance expert assigned to send out risk assessments can also choose to skip the engagement-level
risk assessment process entirely and move the engagement directly from the approved request to Completed:
Assessments skipped manually status based on their judgment of the engagement's requirements.
At any time between when the request is submitted and the engagement is completed or canceled, the requester
and governance experts can create issues to highlight potential problems or concerns with the engagement as
In solutions that include SAP Ariba Sourcing or SAP Ariba Contracts, the risk assessment project can be made
a predecessor to a sourcing or contract project. With this setup, once the engagement is approved, sourcing or
contract activities will start.
• The form used for the engagement request and the risk assessments that are available, including their content,
scoring, and whether the risk assessments are recommended based on either answers to specific questions
about inherent risk in the request or the request's overall inherent risk score or rating. The content of the
engagement request also determines whether the requester can (or is required to) specify the supplier at that
stage.
• Who is responsible for approving the engagement request and each risk assessment.
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
The nature and severity of an issue, and whether or not it has a satisfactory resolution, is one of the factors that
approvers of engagement risk assessment projects take into account when approving or denying an engagement.
The issue management process provides an automatic and auditable process for gathering all of the relevant
information about an issue and involving relevant experts and other stakeholders in its analysis and resolution. It
includes five stages:
1. Issue creation: a user becomes aware that there is a potential issue with a proposed supplier or third-party
engagement with an assessment project in progress, either with the entire engagement or with a specific
engagement-level risk assessment, and creates an issue in Draft status. The user who creates the issue might
fill out most or all of the information in the Issue details area, including specifying assignee, or might leave
most of the issue's fields blank. The Comments area is not yet available during issue creation.
2. Issue definition: the issue assignee (if there is one at this point) and owners of various issue definition tasks
edit the issue to provide more detailed information, add comments, and complete their assigned tasks. The
issue then moves from Draft to In Progress status.
3. Issue analysis: the assignee (if there is one at this point) and owners of various issue analysis tasks review
the issue details, edit the issue to update or add information if necessary, add comments, and complete
Note
The issue creator has permission to edit the issues they have created. The issue assignee has permission to
edit issues to which they are assigned. Members of the Supplier Risk Engagement Governance Analyst group
have permission to edit any issue. Task ownership by itself does not grant a user permission to edit an issue.
• The fields in the Inherent Issue Document area, which collect information about the issue.
• The tasks in the issue management workflow and their owners.
• Who is responsible for approving the issue resolution.
Related Information
How to Define, Analyze, or Resolve a Legacy Engagement Risk Issue [page 323]
How to Add Approvers or Reviewers to a Legacy Engagement Risk Issue [page 325]
The Legacy Risk Assessment Process [page 309]
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
• Viewing and tracking risk assessment projects on the Supplier Risk dashboard and in supplier 360° profiles
[page 313]
Note
Your ability to see and act on individual engagement requests and risk assessments is determined by your
group membership and your assignment to tasks in specific risk assessment projects.
Viewing and Tracking Risk Assessment Projects on the Supplier Risk Dashboard and in Supplier
360° Profiles
The Engagement Requests page, which you access by clicking the Engagement Requests tile on the Supplier
Risk dashboard, shows engagement requests and risk assessments for all suppliers. The Engagement Requests
area on the Risk exposure tab of an individual supplier 360° profile shows engagement requests and risk
assessments for that supplier. The Engagement Requests area in both places includes three tiles, which allow
you to view or manage risk assessment projects at various stages:
• Edit and save or submit your draft engagement requests on the New Requests tile, which shows
engagement requests that you have created and saved but not submitted (in Draft status). Click the
engagement request name to open your draft, finish it, and submit it.
• Track and manage engagement risk assessment projects that are in progress on the In Progress tile:
• View or approve submitted engagement requests: Click the name of an engagement request with
Submitted status to view its details on the engagement page. If you are an approver, you can approve
or deny the engagement request from here [page 317].
• Edit or cancel submitted or approved engagement requests: Click the name of an engagement request
with Submitted or In Assessment status to edit [page 319] or cancel [page 320] it before engagement-
level risk assessments are sent out.
• Raise, track, and resolve engagement risk issues: Click the name of an engagement request with
Submitted, In Assessment, Awaiting Assessment Responses, or Pending Assessment Approval status
to raise [page 321], update, and resolve [page 323] issues at the overall engagement level or the
engagement-level risk assessment level
• Send engagement-level risk assessments: Click the name of an engagement with In Assessment status
to view its details on the engagement page. If you are one of the people responsible for sending risk
assessments for the engagement, you send them from here [page 327].
• View and respond to, or resend, engagement-level risk assessments: If a risk assessment project has
Awaiting Assessment Responses status, you can click its Expand link to view information about each sent
risk assessment, such as its name, when it was submitted (Last assessed date), whether it is internal or
external, whether it was used in a previous risk assessment project for the same supplier, who it was sent
to, and its target and residual risk exposure.
You can click the View button next to a submitted assessment, or an open assessment that you are not
responsible for filling out, to see it. If you are the assigned respondent for an assessment, you see a
Start button instead, and you can click it to complete and submit the assessment [page 332]. If you are
one of the people responsible for sending the engagement's assessments and a respondent has not yet
submitted answers to an assessment, or you decide that the engagement requires additional assessments,
you can send additional new or resend previously-sent engagement assessments [page 329].
• View and approve submitted assessments: If an engagement has Pending Assessment Approval status,
you an click its Expand link to view information about all completed assessments. Click the View button
next to a completed assessment to open it.
You can sort some columns, such as Name, by clicking the column name. You can filter other columns, such as
Status, by clicking the filter icon ( ) in the column header, then choosing values by which to filter. To export the
list of risk assessment projects on any of the tiles in the Engagement Requests area to a Microsoft Excel file, click
the Export link. The exported file includes the list of risk assessment projects on the tile based on current filters
and sorting.
For each assessment associated with an engagement request, a red alert icon ( ) displays next to residual risk
exposures that are lower than their target exposure.
Once a supplier or third-party engagement request is submitted, users with the appropriate permissions can click it
to open the engagement page. Users who are members of risk engagement analyst, governance, or expert groups,
are in the approval flow of the request or one of the assessments, or are the recipient of one of the assessments
can view this page.
• Engagement request detail: information about the engagement request, including the engagement ID
number, title, requester, date created, inherent risk exposure and rating (if they have been set up in your
site) and information about any associated supplier, commodity or service, and region.
• Process: a status graph that shows where the engagement risk assessment's current position in the process,
and a task table where you can view tasks and their associated risk assessment questionnaires, and where
task owners or approvers complete their assigned tasks. You can also see the most recent responses to any
assessment questionnaires that the engagement's supplier filled out for a previous engagement, but that were
not send for the current one.
• Risk Assessment Questionnaires: the full, completed engagement request.
Prerequisites
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
You must be a member of the Supplier Risk Engagement Requestor group to create an engagement request.
Context
Depending on how your company has set up the inherent risk screening questions in the engagement request, the
answers you provide to the initial questions might expose additional questions for you to answer.
Procedure
• Click Save to save your current answers and return to finish the questionnaire at a later time.
• Click Submit to submit the engagement request.
• Click Cancel to delete the engagement request.
Results
If you have submitted the engagement request, it has the status Submitted. The approvals it requires depend on
how your company has set up its risk assessment projects.
If you have saved but not submitted the engagement request, it has the status Draft.
Next Steps
You can view the new engagement request on the Supplier Risk dashboard. In the Engagement Requests area,
click the New Requests tile. In the Action column, click View to open the request. If your request is still a draft, you
can complete and submit it from here, or you can delete it if you decide it is no longer necessary.
After you have submitted the request, approvers review your answers and either approve or deny it. If it is
approved, a governance expert at your company might or might not initiate additional risk assessments based on
your answers; if they do, approval of the engagement requires the approval of all additional risk assessments as
well. You can monitor your request's progress on the In Progress tile in the Engagement Requests area.
Related Information
Prerequisites
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
You must be a member of the Supplier Risk Engagement Governance Analyst group to add approvers to an
engagement request or risk assessment.
You can only add approvers to a request or assessment if it has no approval flow defined for it in the template.
Context
You can add either individual users or system user groups such as Supplier Risk Engagement Analyst as
approvers. If you choose a user group, the first member of the group to respond approves or denies the request
Procedure
1. From the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, in the
Engagement Requests area, click the In Progress tile, locate the engagement, and click its name.
2. In the Pending Tasks list, locate the approval task and click Add Approver.
3. Use the arrow buttons to page through the list of available approvers, or enter group or user names in the
Search field, to locate the approvers you want to add.
4. Check the users and groups you want to add.
5. Click Update.
Results
The users or user groups are added to the approval flow. Users and the individual members of user groups added to
the approval flow receive a notification that they need to approve the request or assessment.
Related Information
Context
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
Newly submitted engagement requests are in Submitted status. Engagement requests that have had at least one
approval in the approval flow are in In Approval status.
If you are a member of the Supplier Risk Engagement Governance Analyst group, and you believe that an
engagement request requires further investigation or mitigation, in addition to denying it, you also have the option
of approving it but raising an issue for it [page 321].
Procedure
• Click the link in the email notification to open the engagement request.
• From the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, in the
Engagement Requests area, click the In Progress tile, locate the engagement, and click its name.
2. Review the answers to the engagement request in the Risk Assessment Questionnaires area. If your site has
inherent risk scoring set up for engagement requests, you can also view its exposure and any associated risk
ratings in the Engagement request detail area at the top of the page.
3. In the Pending Tasks list, for the approval task, click Approve/Deny.
4. In the top right corner of the page, perform one of the following actions:
Results
If you are the final approver and you approve the request, the risk assessment project moves to In Assessment
status and a governance expert can send engagement-level risk assessments to external or internal stakeholders. If
you deny the request, it moves to Request Denied status and no further action can be taken.
Related Information
Prerequisites
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
To edit a submitted or approved engagement request, you must be the requester or a member of the Supplier Risk
Engagement Governance Analyst group.
Context
You can edit an engagement request when it is in Submitted or In Assessment status. After a governance expert
has sent at least one engagement-level risk assessment for it and the engagement risk assessment project has
moved to Awaiting Assessment Responses status, you can no longer edit the engagement request.
Procedure
1. From the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, in the
Engagement Requests area, click the In Progress tile, locate the engagement, and click its name.
2. In the Risk Assessment Questionnaires area, which shows the engagement request, click Edit.
3. Modify previous answers to the engagement request as necessary.
4. Click Submit.
Results
Depending on your company's engagement risk assessment project setup, the changes you make might change
the engagement-level risk assessments that are recommended for this engagement request.
Prerequisites
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
To cancel an engagement request, you must be the requester or a member of the Supplier Risk Engagement
Governance Analyst group.
Context
You can cancel engagement requests in Submitted and In Assessment status. Once a governance expert has sent
out at least one engagement-level risk assessment and the engagement risk assessment has moved to Awaiting
Assessment Responses status, you can no longer cancel it.
Procedure
1. From the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, in the
Engagement Requests area, click the In Progress tile, locate the engagement, and click its name.
2. In the Engagement Request Detail area at the top of the page, choose Action Cancel .
3. Click OK.
The engagement risk assessment project is now in Cancelled status. You can view it on the Completed tile of the
Engagement Requests area.
Related Information
Prerequisites
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
To create an issue for an engagement risk assessment, you must be either the user who created the engagement
request or a member of the Supplier Risk Engagement Governance Analyst group.
You can assign new issues to any member of the Supplier Risk User, Supplier Risk Manager, Supplier Risk
Engagement Requestor, Supplier Risk Engagement Analyst, Supplier Risk Engagement Expert, and Supplier
Risk Engagement Governance Analyst groups.
You can create an issue for an engagement risk assessment at any point from the time the request is submitted
until the engagement risk assessment is completed. You can create the issue at the overall engagement level or for
a specific sent or previous assessment in the engagement.
Procedure
• To create an engagement-level issue, in the upper right corner of the engagement page, choose Action
Create issue .
• To create an issue for a specific assessment, click Create issue to the right of the recipient's name.
3. Enter a title and description for the issue.
4. Choose the person who can resolve the issue from the assignee dropdown menu.
5. Choose a severity from the severity dropdown menu.
6. If you have a deadline by which the issue must be resolved, use the calendar chooser to choose a due date.
7. Add any other necessary information for the issue.
8. Click Submit.
Results
Submitting the issue creates an issue management project in Draft status and starts its workflow.
Automatic email notifications inform you, the assignee, and members of the Supplier Risk Engagement
Governance Analyst group of the new issue and of any subsequent updates.
Next Steps
You can view the issue, its process flow, and its tasks either from the My Issues tile on the Supplier Risk dashboard
or by clicking the flag icon ( ) next to the engagement’s name on the engagement page. If you created the
issue for a specific assessment, you can also view it by clicking the flag icon ( ) to the right of the assessment
recipient's name.
Related Information
Prerequisites
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
If you are a task owner, reviewer, or approver for an engagement risk issue task, but you don't otherwise have
permission to work with engagement risk assessments, you can view and add comments to the issue, but you
cannot view the associated engagement risk assessment. Anyone who has permission to view the issue can also
view details for any of its completed tasks. To edit the issue, you must be either the person who created it, the
assignee, or a member of the Supplier Risk Engagement Governance Analyst group.
To complete an issue-related task, you must be a task owner (for To Do tasks) or be one of the users assigned to its
review or approval flow (for review and approval tasks).
Context
Your company's engagement risk issue management process [page 311] includes steps for defining and analyzing
the issue, proposing a resolution, and approving the resolution. Its tasks assign these steps to various relevant
stakeholders, who receive email notifications when their assigned tasks start. If you are assigned to a task for an
issue, and that task is currently active, you can click a button next to it in the Tasks table to complete it.
Your company's issue management process defines the owner of all issue management tasks before the issue is
assigned. After an assignee is specified for the issue, they automatically becomes the owner of all of the issue's
Depending on your role in the issue management process and your permissions, you might edit the issue to add
more information, correct existing information, add comments, attach a document such as a remediation plan or a
waiver, or make a user at your company the assignee before completing your task. Each task in the workflow must
be completed before the next task can start. The issue cannot close until all of its tasks are completed.
The issue page includes a process flow diagram that shows all of the tasks in the workflow, with color coding to
indicate tasks that have been completed. You can hover a mouse over any incomplete To Do task in the flow to see
its owner, and any incomplete approval or review task in the flow to see its currently active approver or reviewer.
Procedure
The Comments area shows your new comment at the top of the comment list.
3. If you need to edit the issue and have permission to do so, perform the following actions:
a. At the top of the issue page, click Edit.
b. Add or modify information in any of the editable fields as needed.
c. Click Submit.
4. In the Tasks area, locate your assigned task and perform one of the following actions:
• For a To Do task, click Mark Complete, then click Yes to confirm that you want to complete the task.
• For a review task, click Complete Review. On the Issue Task Detail page, enter any review comments you
might have, click Confirm Review Complete, and click Done to return to the issue page.
• For an approval task, click Approve/Deny On the Issue Task Detail page, click Approve or Deny, enter
explanatory comments, click Confirm, and click Done to return to the issue page.
Results
The issue management process flow at the top of the issue page updates to show the completed task, and the
next task in the issue management workflow starts automatically. Users with permission to view the issue can click
View next to any completed task to view its details, which include any comments that reviewers or approvers added
when completing review or approval tasks.
Next Steps
If an approval task is denied, and you are its owner, you can restart it by choosing Actions Resubmit in
the Tasks area, clicking Resubmit on the Issue Task Detail page, entering any optional comments and clicking
Confirm Resubmit, and clicking Done. The approval flow then restarts, and approvers can reevaluate the issue and
either approve it this time or deny it again.
Related Information
Prerequisites
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
To add approvers to an approval task or reviewers to a review task in an issue, you must be a member of the issue's
Project Owner group as defined in your site's issue management project template.
You can only add approvers or reviewers to an issue management task if there are no approvers or reviewers
defined for it in the project template.
You can add either individual users or system user groups such as Supplier Risk Engagement Analyst as
approvers or reviewers. If you choose a user group, the first member of the group to respond reviews, approves, or
denies the issue. If you select multiple users or groups, they are all added as parallel nodes in the approval or review
flow.
Procedure
• On the dashboard, choose Manage My Tasks , click the name of your assigned task, and choose
View Task Details.
• If you are the person who created the issue, the assignee, or a member of the Supplier Risk Engagement
Governance Analyst group, on the Supplier Risk dashboard, click the My Issues tile, then click the issue
name.
2. In the Pending Tasks list, locate the approval or review task and click Add Approver or Add Reviewer.
3. Check the users and groups you want to add.
4. Click Update.
Results
The users or user groups are added to the approval or review flow. The users and individual members of the groups
receive notifications letting them know that they must complete the task.
Related Information
How to Define, Analyze, or Resolve a Legacy Engagement Risk Issue [page 323]
The Legacy Engagement Risk Issue Management Process [page 311]
Prerequisites
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
You must be a member of the Supplier Risk Engagement Governance Analyst group to send engagement-level
risk assessments.
Only members of the Supplier Risk Engagement Analyst, Supplier Risk Engagement Expert, Supplier Risk
Engagement Governance Analyst, and Supplier Risk Manager groups are included on the list of recipients to
whom you can send internal risk assessments.
Only the contacts defined for the engagement's supplier are included on the list of recipients to whom you can
send external risk assessments. If you want to send an external risk assessments, and the engagement request did
not specify a supplier, you must set one as part of this procedure before you can specify external recipients. If the
supplier you specify does not currently have any available recipients, you can add them on the Contacts tab of the
Overview tile in the supplier's 360° profile.
Context
Supplier or third-party risk assessment projects do not require engagement-level risk assessments. If a specific
engagement does not require assessment beyond the inherent risk questions in the engagement request, you can
skip this process [page 331].
The number of risk assessments you can send depends on your company's risk assessment process is set up.
You send external risk assessments to the supplier specified for the engagement, and internal risk assessments to
other stakeholders or experts in your company.
Note
If the engagement request does not specify a supplier, you can do so before sending the risk assessments, and
you must do so if you want to send an assessment to an external recipient. You can also specify a different
Risk assessments are recommended based on how your company's risk assessment process is set up. Either
answers to specific questions about inherent risk in the engagement request or the engagement request's overall
inherent risk exposure can generate recommendations.
If a previous risk assessment project for the same supplier included any of currently available risk assessments in
the past year, you can see who submitted the previous assessment, when, and its residual risk exposure, as well
as viewing the previous answers. Based on that information, you can decide whether to send the risk assessment
again or use the most recent previous answers.
Procedure
1. From the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, in the
Engagement Requests area, click the In Progress tile, locate the engagement, and click its name.
2. In the Pending Tasks list, for the To Do task to send assessments, click Start.
3. Review the selected supplier. If there is no selected supplier and the engagement involves a supplier or
third-party, or if you want to select a different supplier from the one specified in the engagement request,
perform the following steps:
a. Start entering the name of the supplier you want to specify for the engagement in the Search field, then
choose from the list of matching suppliers.
b. Click Set Supplier.
4. Choose the risk assessments you want to send:
a. Recommended assessments are always checked by default. Uncheck any that you do not want to send.
b. Check any additional assessments you also want to send.
Tip
To see the contents of an assessment, click Preview to review it, then click Done to return to the send
assessments page.
5. For each checked assessment, click Send to and check the users at your company (for internal risk
assessments) or the supplier contacts (for external risk assessments) to whom you want to send the
assessment, then click Update.
6. Click Send Assessments.
Results
The recipients you chose receive email notifications inviting them to fill out and submit the assessment. The risk
assessment project moves from In Assessment status to Awaiting Assessment Responses status.
After sending out the first round of assessments, if recipients are not responding promptly, or if you decide
that additional assessments are needed, you can send additional assessments or resend any previously-sent
assessments to either the same recipient or a different recipient [page 329].
Related Information
Prerequisites
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
You must be a member of the Supplier Risk Engagement Governance Analyst group to send engagement-level
risk assessments.
Only members of the Supplier Risk Engagement Analyst, Supplier Risk Engagement Expert, Supplier Risk
Engagement Governance Analyst, and Supplier Risk Manager users groups are included on the list of recipients
to whom you can send internal risk assessments.
Context
Resending a risk assessment to the current recipient can provide a reminder that they owe you a response. If the
current recipient has left the company or changed roles, or is on vacation or otherwise unavailable and will not be
able to respond in the necessary time frame, you can resend the assessment to a different recipient instead.
You can also send additional risk assessments while previous assessments are still in progress.
You can resend previously-sent risk assessments or send new additional risk assessments while the engagement
risk assessment project is in Awaiting Assessment Responses or Pending Assessment Approval status. Once
the final risk assessment has been approved or denied and the engagement risk assessment project moves to
Completed status, you can no longer send risk assessments for it.
Procedure
1. From the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, in the
Engagement Requests area, click the In Progress tile, locate the engagement, and click its name.
2. In the Completed Tasks list, for the To Do task to send assessments, click View.
3. Perform one of the following actions:
• On the list of sent assessments, click Resend for the risk assessments you want to resend.
• On the list of previous assessments or unsent assessments, click Send for the additional risk assessments
you want to send.
4. Check the users at your company (for internal risk assessments) or the supplier contacts (for external risk
assessments) to whom you want to send the assessment. For assessments you are resending, the users you
check can be the original recipients or different recipients.
5. Click Send assessments.
Results
The recipients you selected receive email notifications inviting them to fill out and submit the risk assessments. If
you selected a new recipient for a previously-sent assessment, the original recipient no longer has access to it.
Related Information
Prerequisites
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
You must be a member of the Supplier Risk Engagement Governance Analyst group to skip risk assessments.
Context
Risk assessment projects do not always require engagement-level risk assessments. Depending on your company's
processes and governance rules, there might be circumstances where those engagement-level risk assessments
are not necessary at all for specific engagements. There might also be cases where the supplier has recently
completed all necessary risk assessments for previous risk assessment projects and provided satisfactory
answers, and you want to use those previous assessments rather than asking the supplier to fill them out again. You
can then manually skip the step of sending out the risk assessments for the current engagement, moving its status
directly to Completed: Assessments skipped manually status.
If your site is configured to automatically skip assessments for engagements with no recommended assessments,
you only need to manually skip assessments if you decide that the recommended assessments are not necessary
for that particular engagement; if there are no recommended assessments, the engagement moves automatically
to Completed: Assessments skipped automatically status. If your site does not use this configuration option,
you must always manually skip assessments if you decide that an engagement doesn't require them, even for
engagements with no recommended assessments.
1. From the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, in the
Engagement Requests area, click the In Progress tile, locate the engagement, and click its name.
2. In the Pending Tasks list, for the To Do task to send assessments, click Start.
3. Uncheck any currently checked risk assessments.
4. Click Skip Assessments.
Results
The risk assessment project moves directly to Completed: Assessments skipped manually status.
Related Information
Prerequisites
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
Procedure
• Click the link in the email notification to open the engagement. In the pending tasks list, click the Start
button to the right of the task for your assigned assessment.
• From the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, in the
Engagement Requests area, click the In Progress tile, locate the engagement, and click its name.
2. Fill out the assessment and click Submit.
Results
Your assessment is sent to its designated approvers for review and approval. If you are the last person to submit an
assessment for the current risk assessment project, it moves from Awaiting Assessment Responses to Pending
Assessment Approval status. Otherwise, it remains in Awaiting Assessment Responses status.
Related Information
Context
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
If a risk assessment is calculated, you can see whether its residual exposure falls above or below the target
exposure when you review it. Residual exposures lower than the target exposure indicate higher risk.
Procedure
Results
After all of the risk assessments associated with an engagement request are approved, the engagement is
automatically approved and has Completed status. If one assessment associated with an engagement request
is denied, and engagement is automatically denied and has Assessment Approval Denied status.
Related Information
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
Action Status
A user has created a new engagement request but has not yet Draft
submitted it.
A user has completed an engagement request and submitted Draft > Submitted
it.
An approver has denied the engagement request. Submitted > Request Denied
In a site configured to automatically skip assessments when Submitted > Completed: Assessments skipped
there are no recommended assessment, an approver has ap- automatically
proved an engagement request that does not generate any
assessment recommendations.
An approver has approved the engagement request and en- Submitted > In Assessment
gagement request has generated assessment recommenda-
tions or the site is not configured to skip assessments if no
recommendations are generated..
A governance expert has sent engagement-level risk assess- In Assessment > Awaiting Assessment Responses
ments to internal or external recipients.
A governance expert has manually skipped sending risk as- In Assessment > Completed: Assessments skipped
sessments. manually
All of the respondents have completed and submitted the sent Awaiting Assessment Responses > Pending Assessment
assessments and they have all entered the approval flow. Approval
At least one approver has denied an assessment. Pending Assessment Approval > Assessment Approval
Denied
Approvers have finally approved all of the engagement-level Pending Assessment Approval > Completed
risk assessments.
Related Information
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
The status of an issue management project has no direct effect on the status of its associated engagement risk
assessment project. It is for informational purposes only.
Action Status
The last task in the Issue Definition phase is completed. Draft > In Progress
The last task in the Issue Resolution Acceptance phase is In Progress > Resolved.
completed and the issue resolution is approved.
The last task in the Issue Resolution Acceptance phase is In Progress > Request Denied.
completed and the issue resolution is denied.
Related Information
Prerequisites
Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
To run the Engagement Summary report, you must be a member of the Supplier Risk Engagement Analyst,
Supplier Risk Engagement Expert, or Supplier Risk Engagement Governance Analyst group to run the
Engagement Summary report.
Depending on your company's engagement request setup, you might be able to filter the report by commodity,
region, internal users, and their departments. The report also contains a field for each available filter.
Procedure
• For commodity, region, and department filters, either click Browse, navigate through the tree, and check a
value, or click Search, start entering a name, and choose from the list of suggestions.
• For user filters, start entering a name and choose from the list of suggestions.
• For Assessments were skipped, choose False to show only engagement risk assessments with completed
assessments, True to show only engagement risk assessments where assessments were skipped (either
manually or automatically), or Not Applicable to show both.
5. Click Generate report.
Results
To sort the online report by column, click on the column name. To view engagement-level risk assessment details
for an engagement risk assessment project, click Expand in the Risk assessment column. To export the current
report to a Microsoft Excel file for use offline, click Export.
Support-Enabled Site Configuration Parameters for SAP Ariba Supplier Risk [page 340]
Self-Service Site Configuration Parameters for SAP Ariba Supplier Risk in Intelligent Configuration Manager
[page 341]
By default, a phase automatically completes when all of its required tasks are completed. If
Application.ACM.PhaseAutoComplete is set to No, users must manually mark a phase
complete.
SAP
Application.SR.Engagement.AutoSkipAssessments (set by SAP Ariba Support)
Specifies whether or not supplier or third-party engagement risk assessment projects
with engagement requests that do not generate any engagement-level risk assessment
questionnaire recommendations automatically skip the send assessments phase. If this
parameter is enabled, approved engagement requests with no recommended assessments
automatically move to Completed: Assessments skipped automatically status. If it
is disabled, engagement requests with no recommended assessments move to the
send assessments phase, and a governance expert must manually either skip or select
assessments to send. The default setting is No, meaning that engagement requests that do
not generate assessment recommendations still move to the send assessments phase.
Note
This parameter is only applicable for legacy engagement risk assessment projects.
For information about how to manage parameters, see Intelligent Configuration Manager Administration.
Ability to select SAP business network as the data source for assessment responses [page 343]
Add issue assignees to the assignee project group only [page 344]
Allow engagement Project Owner groups to inherit project group membership from the template [page 346]
Allow using control effectiveness levels to evaluate residual risk by risk domain [page 349]
Allow using issues to evaluate residual risk by risk domain [page 350]
Calculate supplier level inherent and residual risk by risk domain [page 353]
Calculate task due date based on predecessor completion date [page 355]
Define percentage-based scoring ratings and ranges for engagement questionnaires [page 358]
Define point-based scoring ratings and ranges for engagement questionnaires [page 359]
Define the amount of change allowed for engagement residual risk ratings [page 359]
Enable advanced send assessment workflow for engagement projects [page 363]
Enable API updates for external modular questionnaires with any status [page 364]
Enable asynchronous processing of business details and the inherent risk screening questionnaire [page 367]
Enable change project owner action on the engagement page [page 369]
Enable document types for engagement requests originating from non-catalog purchases [page 370]
Enable editability access control for the issue form [page 371]
Enable enhanced filtering and pagination for standalone modular questionnaires [page 374]
Enable enhanced status information for assessments and risk controls [page 375]
Enable manage project team action on the engagement page [page 378]
Enable modular questionnaire template creation in sites with a basic supplier management entitlement [page
379]
Reopen all initial approval phase tasks for insignificant changes requiring approval [page 394]
Reopen post project approval phase with engagement review [page 395]
Require issue completion for final engagement project approval [page 395]
Require only attachment and expiration date for supplier certificates [page 397]
Require only basic approval for engagement projects with no controls [page 398]
Restrict editing of residual risk ratings based on engagement issues [page 399]
Use custom logo and footer for emails sent to suppliers [page 405]
Related Information
Adds the ability to select SAP Business Network as the data source for responses to a modular questionnaire
used as an assessment for engagement requests. This parameter is relevant only when the parameter Import risk
assessment data for engagement requests (Application.SR.Engagement.RiskAssessmentDataImport) is
also enabled.
ID Application.SR.Engagement.ImportResponsesFromBusinessNetwork
Name Ability to select SAP business network as the data source for assessment responses
Default value No
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Specifies whether assignees are added to only the assignee project group in issue management projects or are also
added to the Project Owner group. When assignees are added only to the assignee group, template creators can
define separate task ownership and editability access control for assignees and project owners.
ID Application.SR.IssueManagement.AddAssigneeToAssigneeTeamOnly
Default value No
By default, issue assignees are added to the Project Owner project group as well as the dedicated issue assignee
project group if your issue management project template includes it.
Setting this parameter to Yes adds issue assignees only to the dedicated assignee project group so that they do
not have Project Owner permissions.
In addition to enabling this parameter, if your issue management project template does not already include a
dedicated assignee group, a template creator must also add a project group named Assignee to the issue
management template. The presence of that project group in the published issue management project template is
required for the behavior enabled by this parameter to function correctly.
If you have also enabled Restrict issue project visibility by role [page 401], you can use access control to ensure
that issue creators (members of the Project Owner group) and issue assignees can only edit the appropriate
sections of the issue form and that assignees and creators cannot edit the same sections of the form.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.AllowChangeRequest
Default value No
This parameter is relevant in sites using control-based engagement risk assessment projects. Its value determines
whether, on the engagement summary page, authorized users can choose Action Change request to trigger
a change request workflow. Use of the Change request action also requires that a change request workflow have
been defined as described in the topic Adding change request workflow to the Supplier Risk Engagement Template.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.AllowSkipAssessmentResponse
Default value No
When this parameter is set to Yes, a decision maker can choose to Skip an assessment from the control details
page. This allows them to move on to setting the effectiveness level for the control or service, rather than waiting
for a response.
Note
Normally, any internal assessment resent during a control reopen is addressed to the original recipient. A
skipped assessment, however, is canceled and thus has no record of to whom it was sent. The control reopen
therefore must use the internal recipients group for internal assessments that were previously skipped.
The topic About Modular Supplier Management Questionnaires in Control-Based Engagement Risk
Assessment Projects indicates that the default list of internal recipients is all members of the Project Owner
project group for the engagement risk assessment project. When resending an internal assessment as part of
Thus, neither of the two possible default values for the recipient are available when resending an assessment
that was previously skipped. If planning to allow users to skip assessment responses, it’s therefore important
to ensure that each modular questionnaire template used for internal assessments includes a defined internal
recipients group.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
Related Information
ID Application.SR.Engagement.InheritTemplateGroupsToProjects
Name Allow engagement Project Owner groups to inherit project group membership from the template
Default value No
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Enables requesters to submit engagement requests for control-based engagement risk assessment projects with
no supplier selected.
ID Application.SR.Engagement.AllowOptionalSupplier
Default value No
By default, requesters cannot submit engagement requests unless they have selected a supplier for the
engagement. Setting this parameter to Yes allows requesters to successfully submit engagement requests with
no supplier selected.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
Related Information
Enables the option for a decision maker to complete a control review task without
rendering an effectiveness decision. Once enabled, disabling this parameter is not recommended.
This feature also requires enabling the parameter Enable control review workflow
(Application.SR.Engagement.EnableControlReviewWorkflow).
ID Application.SR.Engagement.AllowNoEffectivenessOptionForControlReview
Default value No
• A decision maker for a control can choose Action Skip control review rather than setting the
effectiveness level for a control or service.
• The Control effectiveness options choice is available in the Supplier Risk settings ( ). Here you can define
the available reasons for skipping a control review. These reasons appear in a dropdown on the Skip control
review dialog.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
Related Information
Allows users to create findings from within Supplier Risk. Authorized users can create general findings, or findings
specific to engagements, controls, or services.
ID Application.SR.Engagement.CreateFinding
Default value No
If Yes, users document supplier or engagement concerns using findings. If No, they use issues.
A finding or issue can be associated with an engagement or one of its controls. The findings feature additionally
allows creation of a general finding about a supplier, not specific to an engagement.
If you change from issues (No for this parameter) to findings (Yes for this parameter), users can no longer create
issues, but any issues that already exist are retained. The reverse is true if you switch from findings to issues.
Note
The ability to create engagement-related findings enabled using this parameter applies only to control-based
engagement risk assessment projects. For more information about these projects, see Setting up SAP Ariba
Supplier Risk.
The ability to create general findings is not limited to sites configured for control-based engagement risk
assessment projects.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Enables calculating residual risk by risk domain using control effectiveness levels: makes this method available to
choose on the Engagement risk level configuration page.
ID Application.SR.Engagement.UseControlEffectivenessForResidualRisk
Name Allow using control effectiveness levels to evaluate residual risk by risk domain
Default value No
When setting this parameter to Yes, you must also enable the following parameters:
For a description of the full configuration workflow for setting up residual risk calculations with visibility into risk
domains, refer to Configuring Residual Risk Calculations by Risk Domain.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Enables calculating residual risk by risk domain using issues: makes this method available to choose on the
Engagement risk level configuration page.
ID Application.SR.Engagement.UseControlIssuesForResidualRisk
When setting this parameter to Yes, you must also enable the parameter Calculate inherent risk for engagements
by risk domain (Application.SR.Engagement.DomainBasedInherentRisk). Residual risk is calculated only
for risk domains that have inherent risk values.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
If Yes, engagement level residual risk is calculated by risk domain, using the configured method (based on control
effectiveness or issues). If No, engagement level residual risk is equal to the maximum residual risk rating from all
its control- and engagement-level issues.
ID Application.SR.Engagement.CalculateEngagementLevelResidualRiskByDomain
Default value No
Note
When you enable this feature, you are choosing to calculate engagement-level residual risk based on the issues
or control effectiveness for the risk controls on the engagement. In this case, users cannot manually change
residual risk values at the engagement level, and the following parameters related to manual changes are not
relevant:
• Define the amount of change allowed for engagement residual risk ratings
(Application.SR.Engagement.ResidualRiskAllowableChange)
• Restrict editing of residual risk ratings based on engagement issues
(Application.SR.Engagement.EnableIssueBasedRestrictionsOnResidualRiskSelection)
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Enables inherent risk calculation for engagements segmented by user-defined risk domains. Risk domain weighting
allows internal risk experts to tailor the calculation to reflect the relative importance of each.
ID Application.SR.Engagement.DomainBasedInherentRisk
Default value No
This parameter controls the ability to assign risk domains and domain weights to sections of the inherent risk
screening questionnaire, in order to calculate inherent risk by risk domain.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
If Yes, supplier level inherent and residual risk is calculated at the supplier level, with visibility into risk domains. If
No, supplier-level inherent and residual risk are not calculated.
ID Application.SR.Engagement.SRRiskScoresCalculationSupplierLevel
Name Calculate supplier level inherent and residual risk by risk domain
Default value No
Note
When setting this parameter to Yes: The supplier-level inherent and residual risk ratings
are defined to be the most severe rating for any active engagement for that supplier.
Since the engagement-level ratings are the source for generating the supplier-level rating, you
must also enable the parameter Calculate engagement level residual risk by risk domain
(Application.SR.Engagement.CalculateEngagementLevelResidualRiskByDomain).
Yes Overall supplier-level inherent risk and residual risk score and rating are calculated from the engage-
ment-level values. The Engagement requests tab in the Risk area of the supplier 360° shows inherent
and residual risk values at the issue, risk control, engagement, and supplier level.
Supplier-level inherent or residual risk is calculated or recalculated in response to an event that might
change its value. For example:
• If the inherent or residual risk for an engagement for the supplier changes
• If a new engagement request is submitted or an engagement is canceled or archived
Note
When you enable this feature, supplier-level inherent and residual risk are calculated from that
point forward; there is no mass calculation of overall inherent and residual risk for all suppliers.
The calculation for a supplier is triggered for the first time when one of the above changes occurs.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.CalculateTaskDueDateFromPredecessorCompletionD
ate
Default value No
Tip
When you set this parameter to Yes, or change it back to No, the new rule for calculating task due date
applies from that point forward. Task due dates that have already been set are not changed. If a phase is later
reopened, for example for a periodic review, due dates for all reopening To Do and approval tasks are handled
according to the setting for this parameter.
• The due date of a To Do or approval task is the latest completion date of its predecessors plus the duration
defined on the Supplier Risk Engagement Template in the task Due date field.
• The due date for a task that has no defined predecessor is the start date of the phase plus the task's duration.
• The task page in the Supplier Risk Engagement Template shows the Due Date entry field as <n> days after all
predecessors are complete.
• A To Do or approval task with one or more predecessors has no due date value until its predecessors complete.
• The due date for each task is the start date of the phase plus the task's duration.
• The task page in the Supplier Risk Engagement Template shows the Due Date entry field as <n> days after
parent phase starts.
• Due dates for all tasks in a phase are calculated when the phase starts.
Example
A phase has three To Do tasks (A1, B1, and C1). Each has a duration of 2 days and none has a defined
predecessor. The phase starts on May 4 so each To Do task has a due date of May 6.
Three approval tasks (A2, B2, and C2) have predecessor relationships as follows:
A2 2 days A1
B2 3 days B1
The To Do tasks actually complete later than expected. Task A1 completes on May 10, task B1 on May 8, and
task C1 on May 9.
The due dates for tasks A2-C2 depend on the setting for this parameter.
Parameter Calculate task due date based on predecessor completion date is set to No
Parameter Calculate task due date based on predecessor completion date is set to Yes
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
Related Information
ID Application.SR.Engagement.CreateActionsForControlsAndAssessments
Set this parameter to No if you don't want the related engagement project control reviews and assessments to be
included in the Actions tile and the Actions queue page.
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Specifies whether pending To Do and approval tasks in engagements and associated issues and assessment
questionnaires have actions associated with them.
ID Application.SR.Engagement.CreateActionsForToDoAndApprovalTasks
Set this parameter to No if you don't want the pending To Do and approval tasks for engagement projects and their
associated issues and assessment questionnaires to be included in the Actions tile and the Actions queue page.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
ID Application.SR.Engagement.RiskScoreRanges
Name Define percentage-based scoring ratings and ranges for engagement questionnaires
Range values must be between 0 and 100, with no gaps between ranges, in the format Rating name:low
value:high value.
If there is any overlap between two ratings, the rating with the higher range is used. The default values mean that
scores of 0% to 49% have a low risk rating, scores of 50% to 74% have a medium risk rating, and scores of 75%
to 100% have a high risk rating. Note that the default ranges assume that your pre-grading assigns higher scores
high-risk answers and lower scores for low-risk answers. You can specify any number of ranges, with a maximum
high value of 100%.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.RiskPointBasedScoreRanges
Name Define point-based scoring ratings and ranges for engagement questionnaires
Range values must be 0 or greater, with no gaps between ranges, in the format Rating name:low value:high
value.
If there is any overlap between two ratings, the rating with the higher range is used. The default values mean that
scores of 0 to 59 points have a low risk rating, scores of 60 to 89 points have a medium risk rating, and scores of
90 to 1000 points have a high risk rating. Note that the default ranges assume that your pre-grading assigns more
points for high-risk answers and fewer points for low-risk answers. You can specify any number of ranges, with a
maximum high value of 1000 points.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Name Define the amount of change allowed for engagement residual risk ratings
Default value 4
Residual risk ratings for engagement risk assessment projects are numbers between 1 and 5. The original residual
risk rating for an engagement project is based on the highest residual risk rating of the issues associated with the
engagement. Residual risk ratings for issues are, in turn, based on issue severity and probability.
Since there are only 5 possible residual risk ratings, the default value of 4 means that users can change residual risk
ratings by any number of levels. Setting this parameter to 0 means that users cannot edit residual risk ratings at all.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
Note
This parameter is not relevant in sites configured to calculate residual risk by risk domain. In these sites,
residual risk values are automatically updated based on the issues or effectiveness levels for controls.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Disables or enables the View as Participant option for supplier management questionnaires in project advanced
view. This option allows internal users to update questionnaires as if they were the recipient.
ID Application.SM.HideSMProjectViewAsParticipantAfterEventPublish
Default value No
By default, internal users who can access the advanced view of a supplier management project can open a
questionnaire in the project on the Documents tab and use the View as Participant option to edit it as if
they were the recipient. To disable this option and prevent internal users with advanced view access from
editing questionnaires, set this parameter to Yes. This parameter's settings don't affect the ability of customer
administrators to act as supplier or internal users to edit questionnaire responses if necessary.
In SAP Ariba Supplier Risk, this setting is only applicable to modular questionnaires.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
ID Application.SR.Engagement.EnableActionQueue
Default value No
The Actions tile on the Supplier Risk dashboard shows the number of open approvals, To Do tasks, and other
actions for control-based risk assessment projects the user is able to act on. The Actions tile takes the user to a
new Action queue page where they can see a list of the open approvals, To Do tasks, and other actions they’re
assigned to either as an individual or as a member of a project group. Users click the linked name to complete the
action rather than going to individual engagement projects or looking for email notifications.
If any actions need immediate attention, determined by due dates or expiration dates, the number of these actions
appear at the bottom of the Actions tile in an orange color. They also show on the Action queue page with the
status Due soon in an orange color, or Overdue in a red color.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Enables the advanced workflow for archiving control-based engagement risk assessment projects. The simple
workflow archives the project in one step. In the advanced workflow, an archive request starts tasks in an archiving
phase, and the project is archived after those tasks are completed.
ID Application.SR.Engagement.EnableAdvancedArchiveWorkflow
Default value No
In sites where the engagement risk assessment project archiving feature is enabled, the default behavior is a simple
archiving workflow where users with the appropriate permissions archive engagement projects in a single step.
Setting this parameter to Yes enables the advanced archiving workflow, where an archive request starts a workflow
defined by tasks in an archiving phase in the engagement risk assessment project template. The engagement
project can only be archived after those tasks are complete.
To fully enable the advanced archiving workflow in your site, in addition to enabling this parameter, a member
of the Template Creator group must also set up the archiving phase in the engagement risk assessment project
template. The advanced archiving workflow does not function correctly without the required project template
configuration.
There is currently no way to upgrade existing engagement risk assessment projects to the latest published version
of the template. The simple archiving workflow allows you to archive any completed engagement risk assessment
project, but the advanced workflow only works in projects that were created from a version of the template that
includes the archiving phase.
Tip
If you want to implement the advanced archiving workflow, and your site includes completed engagement risk
assessment projects that require archiving but were created from a previous version of the template that did
not include the archiving phase, you can use the simple workflow to archive those projects before enabling the
advanced workflow.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
ID Application.SR.Engagement.AllowAdvancedEditCancel
Default value No
By default, users with the appropriate permissions can edit or cancel control-based engagement risk assessment
projects only up to the point where assessments are sent. Setting this parameter to Yes enables the advanced
editing and canceling feature, which allows users to edit or cancel control-based engagement risk assessment
projects in any phase up to the point of final approval and provides a resubmission workflow to handle edits that are
flagged as requiring reapproval or that introduce significant changes.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.EnableAdvancedSendAssessment
Default value No
By default, control-based engagement risk assessments use the simple workflow for sending assessments,
where completing the send assessments To Do task sends all required assessments to default recipients in a
single action. Setting this parameter to Yes enables the advanced workflow, which allows the owner of the send
assessments To Do task to send selected assessments in separate rounds.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SM.MQ.AllowUpdateResponseOnAllStatusFromAPI
Name Enable API updates for external modular questionnaires with any status
Default value No
The default setting for this parameter, No, means that client applications can't use the /answers endpoint of
the Supplier Data API with Pagination to update external modular questionnaires with Not Responded, Pending
Submission, or Pending Resubmission status. Questionnaires with these statuses are editable in the supplier view
on SAP Business Network. Setting this parameter to Yes removes this restriction and allows client applications to
use the /answers endpoint to update external modular questionnaires with any status.
For example, when this parameter is enabled, a client application can prepopulate a modular questionnaire with
data from an external system such as an ERP system immediately after a modular questionnaire manager or
process initiator has invited the supplier to fill it out,while it's still in Not Responded status. The invited supplier
contact sees the propopulated answers and can verify them and update them as needed when submitting the
questionnaire for the first time.
The Supplier Data API with Pagination /answers endpoint always allows updates to internal modular
questionnaires with any status regardless of the setting of this parameter.
Related Information
Specifies whether the button for managing the assignee team shows in the upper right corner of the issue page.
Assignees can be added or removed from the assignee project group in issue management projects by users with
the appropriate permissions.
ID Application.SR.IssueManagement.ManageIssueAssigneeTeam
By default, the button for managing the assignee team shows in the upper right corner of the issue page in
control-based engagement risk assessment projects.
Setting this parameter to No, removes the button to manage the assignee team on the upper right corner of the
issue page.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.EnableAsyncTemplateUpgrade
Asynchronous processing can improve the performance of the template upgrade process, especially if your
supplier risk engagement template is complex and has hundreds of questions, surveys, tasks, and conditions.
With asynchronous processing, you can continue working on something else while the upgrade processes, rather
than waiting for the upgrade to finish.
It is strongly recommended that you leave this parameter set to its default value of Yes.
If this parameter is set to No, template upgrade for an engagement processes synchronously, so you need to wait
for the template upgrade to finish..
To use template upgrade for engagements, the following parameters must also be enabled:
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.EnableStabilityAsyncDocProcessing
Name Enable asynchronous processing of business details and the inherent risk screening questionnaire
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.EnablePeriodicReviewBackgroundProcessing
Default value No
Setting this parameter is part of a specific sequence of configuration steps for periodic reviews, outlined in the
topic Adding Periodic and Ad Hoc Review to the Engagement Workflow.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
Related Information
This parameter enables you to configure certificate sections in supplier management questionnaires.
ID Application.SM.CustomizableCertificateSectionSupport
The default value of False means that certificate section can't be added in the internal and external modular
supplier management questionnaire template. Setting this parameter to True provides option to add a certificate
section in the modular supplier management questionnaire template.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.ChangeOwnerAction
By default, the requester who creates a control-based engagement risk assessment project is the explicit project
owner and can’t be removed from its Project Owner project group. You can change the project owner by doing one
of the following:
• Go to Action Manage team in the engagement project. To change the project owner of a control-based
engagement risk assessment project in the engagement project, you must have permission to view the
engagement project page.
• Use a question of type User mapped to project.Owner in either the business details or inherent risk
screening questionnaire in the engagement request, which a member of the Template Creator group must
set up in the project template, and that option is only available when the engagement request is editable.
Only enterprise users are searchable and can be selected. Third-party users aren’t supported.
If a user other than the person who creates the project (the requester) is intended to be the project owner, this
change doesn’t take effect until the engagement project is submitted at least once.
Setting this parameter to No removes the Manage team action from the Action menu on the engagement project
page. Users with the appropriate permissions can no longer use it to change the project owner in any phase of the
project.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.EnableControlReviewWorkflow
Default value No
This parameter determines whether the Control review tab is available within the Configure periodic reviews
option when an administrative user clicks the settings icon ( ). Related tasks include:
• Enabling the Action Queue using the parameter Enable action queue
(Application.SR.Engagement.EnableActionQueue). For decision makers, this makes available:
• The Actions tile on the dashboard, where they can see the control-related actions for which they or a
decision maker group to which they belong are responsible.
• A control details page, accessible from an engagement, the Action queue, or the controls list page. Here
a decision maker can reopen a control review, change its expiration date, resend assessments, and enter
effectiveness decisions.
• Configuring control review workflow setup as described in the topic Setting Up Control Review Workflow.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
Related Information
ID Application.SR.Engagement.EngagementRequestFromNonCatalogPurchase
Name Enable document types for engagement requests originating from non-catalog purchases
Default value No
Note
Enabling this parameter adds new options to the dropdown for Engagement request document type.
That dropdown is only visible if the self-service parameter Enable engagement request document types
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Enables editability access control for the issue form in issue management projects. Template creators can use
editability access control to restrict who has permission to edit specific sections of the issue form based on role.
ID Application.SR.IssueManagement.UseTeamAccessForReadOnly
Default value No
Setting this parameter to Yes enables role-based editability access control for the issue form in issue management
projects. This access control allows you to restrict who can edit specific sections of the issue form based on either
project role or membership in specific global user groups that define project permissions.
If you have also enabled Add issue assignees to the assignee project group only [page 344], so that issue assignees
are not added to the Project Owner project group, you can use access control to ensure that issue creators
(members of the Project Owner group) and issue assignees can only edit appropriate sections of the issue form.
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Enables the ability to edit engagement change requests that have been submitted but not yet processed to
completion.
ID Application.SR.Engagement.AllowChangeRequestEdit
Default value No
This parameter is relevant in sites using control-based engagement risk assessment projects in which the
parameter Allow change requests (Application.SR.Engagement.AllowChangeRequest) is also enabled.
Its value determines whether, on the engagement summary page for an engagement with a change request in
progress, authorized users can choose Action Edit change request to edit the change request. When the
edit to the change request is submitted, the resulting changes are evaluated for significance and the required tasks,
assessments, and controls adjusted accordingly.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.EnableEngagementRequestDocumentTypes
Default value No
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Enables administration and workflow for managing periodic and ad hoc reviews of live engagements.
ID Application.SR.Engagement.EnableEngagementReviewWorkflow
Default value No
This parameter determines whether the Engagements tab is available within the Configure periodic reviews
option when an administrative user clicks the settings icon ( ). This is the first step toward setup of the periodic
review feature. Ability to start a periodic review also requires that periodic review setup and workflow have been
defined as described in the topic Adding Periodic and Ad Hoc Review to the Engagement Workflow.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Enables enhanced filtering and pagination in the workflow for sending standalone modular questionnaires.
ID Application.SM.MQ.EnableStandaloneMQEnhancement
Name Enable enhanced filtering and pagination for standalone modular questionnaires
Default value No
This parameter is one of two required settings to enable enhanced filtering and pagination in the workflow
for sending standalone modular questionnaires, and is set in Intelligent Configuration Manager. The other
required setting is the Application.SM.MQ.EnableStandaloneMQEnhancement parameter in SM Administration
> Configuration Parameters. Always enable or disable both parameters together.
Setting this parameter to Yes allows for content in the standalone external modular questionnaire list to:
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.EnhancedAssessmentControlStatus
Name Enable enhanced status information for assessments and risk controls
• Improved methods of determining and displaying assessment and control status in the user interface and in
the Risk Control Summary report
• Greater clarity about the state of each risk control: the engagement page and the control details or control
review page show both status and review decision for each control.
The Control review page, used only in sites where the Enable
control review workflow
(Application.SR.Engagement.EnableControlRe
viewWorkflow) parameter is set to No, shows both Status
and Review decision for the control.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SM.MQ.EnableInternalFormsinModularQuestionnaires
This parameter is one of two required settings that enable or disable support for internal forms with associated
To Do and approval tasks in modular questionnaire projects (SM-30222). You set it in Intelligent Configuration
Manager. The other required setting is the Application.SM.MQEnableInternalFormsinModularQuestionnaires
parameter in SM Administration Configuration Parameters . Always enable or disable both parameters
together.
Internal forms are a way of collecting information in modular questionnaire projects that is additional to or
supplements the information provided by the questionnaire project recipient in the key or main questionnaire.
You can use these internal forms and associated To Do and approval tasks to provide supplementary information or
analysis, or affirm actions performed in other systems.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Enables users with the appropriate permissions to manage membership of the Project Owner group in control-
based engagement risk assessment projects on the engagement page.
ID Application.SR.Engagement.ManageProjectTeamAction
Setting this parameter to No removes the Manage team action from the Action menu on the engagement project
page. Users with the appropriate permissions can no longer use it to manage the membership of the Project
Owner project group.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Enables creation of modular questionnaire project templates in sites that have the basic supplier management
entitlement and a solution package where modular questionnaires are a supported feature.
ID Application.SM.MQ.EnableMQCreationWithSMBasicConfig
Name Enable modular questionnaire template creation in sites with a basic supplier management
entitlement
Default value No
This feature enables the SM Modular Questionnaire project type in the Templates area in sites that have a basic
supplier management entitlement for core supplier management features. You must be a member of both the
Template Creator and SM Modular Questionnaire Manager group to create modular questionnaire templates.
Enabling this parameter isn't necessary if your site includes either SAP Ariba Supplier Lifecycle and Performance
or SAP Ariba Supplier Information and Performance Management (new architecture). Sites that include either
of these solutions automatically include modular questionnaire project templates and other core supplier
management features. However, if your site includes SAP Ariba Supplier Risk without one of these solutions, you
must enable this parameter to create project templates for engagement risk assessments.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Enables enhancements to certain tasks in control-based engagement risk assessment projects, including the
ability to resubmit some approval tasks; the ability to request more information when approving supplemental
ID Application.SR.Engagement.TaskEnhancementsForERProjects
The default setting, Yes, adds the following functionality to tasks in control-based engagement risk assessment
projects:
• Saving supplemental engagement questionnaires that are in progress. When this parameter is set to No,
the owners of To Do tasks for editing supplemental engagement questionnaires must either submit the
questionnaires and complete the To Do tasks or cancel and lose their answers.
• Requesting additional information on supplemental engagement questionnaires. When this parameter is set to
No, approvers can only approve or deny supplemental engagement questionnaires.
• Resubmitting some approvals to change approval decisions. When this parameter is set to No and approvers
complete applicable approval tasks, those approval decisions are final.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Enables the template upgrade feature for engagements, allowing users to apply template process updates to
existing engagement projects.
ID Application.SR.Engagement.EnableTemplateUpgrade
Default value No
Setting this parameter to Yes adds support for upgrading existing control-based engagement risk assessment
projects to the latest version of the supplier risk engagement template so they can include your organization's most
recent risk processes.
Note
The current published version of the template should have a Change Request Owners project group, a
change request initial approval phase, and a change request final approval phase.
If you enable this parameter, it’s recommended that you also enable:
When you set this parameter to Yes the following user interface changes are added:
When you set this parameter to Yes the following administrator interface changes are added:
• Preparation for template upgrade and Manage upgrades options on the Supplier risk administration page.
• A Preparation for template upgrade page after clicking Preparation for template upgrade.
• A Template upgrade page after clicking Manage upgrades.
• The Template upgrade page has 2 tabs, Select engagements and View status.
• An Additional settings for template upgrade popup after clicking the Continue button on the Select
engagements tab of the Template upgrade page.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.EnhancedEngagementListPage
Default value No
Setting this parameter to Yes adds new filter and sort options on the New requests, In Progress, and Completed
tabs of the Engagement requests page.
If you enable this parameter, it’s recommended that you also enable the feature ARI-6919: Enhancements to
engagement task management. Contact SAP Ariba Support to enable it.
When you set this parameter to Yes the user interface changes in the New requests, In progress, and Completed
tabs on the Engagement requests page:
• Filter and Sort links, with the number of applied filters in parentheses, are added at the top of the
engagement list pages.
• The filter and sort ability is removed from the column headers on the engagement list pages.
• The Filter link opens a Filters for engagement requests popup. The popup includes the filter options for
the information in the columns on the engagement list page. Some filter options have autofill so you can enter
single letters or partial words and choose from the results.
Tip
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Determines options for control review decisions. If disabled, decision makers choose between Effective
and Ineffective. If enabled, an expanded list of options is available. Once enabled, disabling this feature
is not recommended. This feature also requires enabling the parameter Enable control review workflow
(Application.SR.Engagement.EnableControlReviewWorkflow).
ID Application.SR.Engagement.ExpandedLevelsOfRiskControlEffectiveness
Default value No
• A decision maker for a control has five choices when setting the effectiveness level for a control or service:
• Completely effective
• Substantially effective
• Partially effective
• Substantially ineffective
• Completely ineffective
Tip
If your site has both this parameter and the parameter Require issues for ineffective risk control decisions
(Application.SR.Engagement.RequireIssueForIneffectiveControlDecision) set to Yes, the issue
requirement applies to controls being marked Completely ineffective.
When this parameter is set to No, decision makers have two effectiveness decision choices for a control or service:
• Effective
• Ineffective
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
Related Information
ID Application.SR.Engagement.HideEmptySectionHeader
Default value No
Setting this parameter to Yes hides the names of any sections in questionnaires defined by survey documents
in the control-based engagement risk assessment project template that do not contain content. In some cases,
visibility conditions or engagement attribute mappings can result in questionnaires with empty sections because
their content is hidden due to visibility conditions or engagement attribute mappings. If your control-based
engagement risk assessment project setup results in this situation, you can use this parameter to hide the section
names as well.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
Related Information
Adds the ability to map a data source to a modular questionnaire used as an assessment for engagement requests.
Responses to the risk assessment questionnaire are imported from the data source.
ID Application.SR.Engagement.RiskAssessmentDataImport
Default value No
Yes Enables the settings needed to set up the import, in the modu-
lar questionnaire template. Once setup is complete, the send
assessments task does not send the assessments configured
to import responses to the supplier; instead, responses for
those assessments are imported.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.ExternalRiskAssessmentDataImport
Default value No
Yes Enables the settings needed to set up the import, in the modu-
lar questionnaire template. Once setup is complete, the send
assessments task does not send the assessments configured
to import responses to the supplier; instead, responses for
those assessments are imported.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.DisplayEngagementContextInAssessmentEmail
Default value No
When this parameter is set to Yes, the [ENGAGEMENT_CONTEXT] token is available when customizing specific
email templates concerning modular questionnaires serving as internal or external risk assessments.
Example
When the supplier or internal recipient receives the notification, the [ENGAGEMENT_CONTEXT] token is
replaced with an introductory sentence and a table of engagement information like:
WS12345678 ABC - software Data base report- USA All Alice Bailey
2021 USA ing software
WS23456789 ABC - software Data base report- Brazil All Bertram Collis
2021 Brazil ing software
One risk control may be required for multiple engagements for the same supplier. If the control is relevant to
multiple engagements for this supplier, the table lists multiple rows of engagement information.
Tip
Best practices:
• Include the token but no additional introductory text in your customized email. The email notifications for
which the [ENGAGEMENT_CONTEXT] is available may be issued for situations relevant or not relevant to
an engagement. For example, in some instances a modular questionnaire might relate to a qualification
project. In this case engagement information is not shown in the notification email. If you have
additional introductory text, in this situation when [ENGAGEMENT_CONTEXT] material is not included, your
qualification project email would then show the extra introductory text by itself.
• [ENGAGEMENT_CONTEXT] is supported in the email body. It is not supported for the subject line, as a table
cannot be inserted there.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.SendAssessmentsProcessingBehavior
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.UpdateProcessingBehavior
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Specifies whether or not the business details and inherent risk screening questionnaires in control-based
engagement risk assessment projects use a background process for submission. While the background process is
in progress, the requester can continue with the next step of the request but cannot proceed further.
ID Application.SR.Engagement.Async.SubmitQuestionnaire
Default value No
By default, when a requester submits either the business details or inherent risk screening questionnaire in the
engagement request by clicking Next, the questionnaire is processed immediately and the requester cannot
navigate to the next step of the request until the processing is complete. Setting this parameter to Yes can mitigate
performance problems with submission of those questionnaires. When it is enabled, once the requester submits
the current questionnaire by clicking Next, the next step of the engagement request opens immediately while the
current questionnaire submission processes in the background. The navigation buttons on that next step do not
show until the questionnaire submission is complete.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Specifies whether or not supplemental engagement questionnaires in control-based engagement risk assessment
projects use a background process for submission. The next task in the workflow does not start until submission is
complete.
ID Application.SR.Engagement.Async.SubmitSecondaryDoc
Default value No
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Risk.RemoveCountryRegionRisk
Default value No
Setting this parameter to Yes removes country/region risk from the risk exposure. The country/region risk data
from default provider World Economic Forum (WEF) isn't used as a contributing factor in the supplier's risk
exposure. The links to the annual Global Risks Report from WEF are still available in the supplier 360° profile.
If you set this parameter to Yes, you can't revert it back to No.
Note
The country/region risk information currently used as a contributing factor to risk exposure is no longer being
produced by the provider. The World Economic Forum (WEF) has paused the Global Competitiveness Index
that is used by SAP Ariba Supplier Risk to calculate the country/region risk exposure. Refer to the various WEF
reports in the supplier 360° Enriched corporate info tab for the change policy beginning in 2020 due to the
pandemic.
You can choose to enable this feature and use custom fields to bring country/region risk data from a provider of
your choice to contribute to the risk exposure.
When you set this parameter to Yes, you enable the following user interface changes:
When you set this parameter to Yes, you enable the following administrator interface changes in Configure risk
exposure on the Supplier risk administration page:
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Removes issues that have become obsolete because changes to an engagement have removed the only controls
with which they are associated. Enabling this parameter removes these obsolete issues from the Issues tile and
stops related email notifications.
ID Application.SR.Engagement.DeleteAbandonedIssuesOfRemovedControl
Default value No
Yes Issues that have become obsolete are removed from the con-
trols with which they are associated. This removes them from
the Issues tile and stops related email notifications.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
ID Application.SR.Engagement.ReopenAllInitialApprovalPhaseTasksForInsignifi
cantChangesRequiringApproval
Name Reopen all initial approval phase tasks for insignificant changes requiring approval
This parameter is relevant in sites using control-based engagement risk assessment projects, where at least one of
the following is enabled:
Submitting an advanced engagement edit, change request, or change request edit triggers approval results based
on the types of changes made. When there are no Significant changes but at least one change is Insignificant
requiring approval, the initial approval phase for the engagement request or change request is activated. This
parameter governs which tasks open within that phase.
No Open only the approval task for the inherent risk screening
questionnaire in the initial approval phase
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.ReopenPostProjectApprovalPhaseWithEngagementRe
view
Default value No
This parameter determines whether the Post Project Approval phase reopens when a user starts a periodic review
for an engagement.
• If post project approval is started in response to a periodic review that is later skipped, the post project
approval phase remains open.
• The post project approval phase can be canceled even though the review is in progress.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Default value No
The default value, No, means that approvers for engagement projects with incomplete issues see a warning popup
but are able to complete project approvals. Enabling this parameter blocks approvers from approving or denying
engagement risk assessment projects with at least one associated engagement- or control-level issue in a status
other than Resolved. The block applies to all approval tasks in the Project Approval phase.
In sites configured to use findings rather than issues (see Allow users to create general and engagement-
related findings [page 349]), this feature requires that all issues and all findings be completed before an
engagement can receive final approval.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Specifies whether or not control decision makers can mark controls that do not have any issues ineffective in
engagement risk assessment projects.
ID Application.SR.Engagement.RequireIssueForIneffectiveControlDecision
Default value No
Control-level issues can capture the process used to reach ineffective decisions for a control, and are available in
other engagement risk assessment projects that use the control and where control decision makers might need
to reevaluate the control decision. When the optional issue check feature is enabled in a site, it checks for related
issues every time a control decision maker marks a control as ineffective. When this feature is enabled, the settings
for this parameter specify the following behavior when a control decision maker marks a control as ineffective and
is has no related issues::
• The default setting, No, results in a popup that asks the decision maker if they want to create an issue and
provides navigation for doing so, but issue creation is optional. The decision maker can cancel out of the popup
and finish marking the control as ineffective..
• Setting this parameter to Yes results in a popup that informs the decision maker that an issue is required and
provides navigation for creating one. The decision maker cannot mark the control as ineffective until there is at
least one issue associated with the control.
In sites configured for expanded levels of risk control effectiveness, the issue requirement applies to controls or
services being marked Completely ineffective.
In sites configured to use findings rather than issues (see Allow users to create general and engagement-
related findings [page 349]), this feature requires either an issue or a finding in order to mark a control as
ineffective.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
Specifies that Attachment and Expiration Date are the only two required fields for answers to certificate questions
in external supplier management questionnaires. Otherwise, all certificate fields are required.
ID Application.SM.RequireCertificateAttachmentAndExpirationOnly
Name Require only attachment and expiration date for supplier certificates
The default value of False means that all the certificate fields are mandatory and the supplier must enter values
in all the fields. The certificate detail fields are required if a supplier answers Yes to a certificate question. The
certificate detail fields are not required if a supplier answers No to a certificate question.
Setting this parameter to True makes only the Expiration Date and Attachment fields mandatory, which means
that the supplier only needs to enter an expiration date and attach a document to proceed.
Note
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
ID Application.SR.Engagement.RequireOnlyBasicDueDiligenceWhenNoControls
Name Require only basic approval for engagement projects with no controls
Default value No
This parameter adds a mechanism for using business details to automatically identify engagements that don't
require risk controls and therefore only require a basic approval workflow.
When the optional basic approval workflow is enabled in a site, this parameter determines if the engagement
request goes through the basic approval or the full engagement risk assessment project workflow. Basic approval
includes only the step for the Request Approval phase, bypassing the send assessments, evidence collection,
control review, and final project approval steps, to streamline the workflow for these engagements.
The basic approval workflow starts with an engagement request that has no controls. The engagement request is
flagged in the system to use the basic approval workflow, which requires only the Request Approval phase. After
completing the Request Approval phase, the engagement request moves immediately to Completed status.
If you use the basic approval workflow, only Copy and Archive are available in the Action menu on the engagement
page after the engagement reaches completed status. Any other template configured post-project approval tasks
aren't available for basic approval engagements.
For information about risk controls, see Supplier Risk Data Import.
When this feature is enabled, the settings for this parameter specify the following behavior:
• If you use the default setting, No, engagement projects with no risk controls follow the full engagement risk
assessment project workflow but the send assessment task automatically completes. Assessments aren't
required if an engagement has no controls.
• If you set this parameter to Yes, engagement projects with no risk controls follow the basic approval workflow
and move to Completed status after the request approval task for the engagement request is approved.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Specifies whether editing of engagement residual risk ratings is only allowed when the engagement has at least two
issues with different ratings.
ID Application.SR.Engagement.EnableIssueBasedRestrictionsOnResidualRiskSele
ction
Residual risk ratings for engagement risk assessment projects are numbers between 1 and 5. The original residual
risk rating for an engagement project is based on the highest residual risk rating of the issues associated with the
engagement. Residual risk ratings for issues are, in turn, based on issue severity and probability.
If Yes: Users with the appropriate permissions can edit the residual risk rating for an engagement only if the
engagement has at least two associated issues with different residual risk ratings.
If No: Editing the residual risk rating is not restricted in this way. Users with appropriate permissions can edit the
residual risk rating if the engagement has fewer than two issues, for example, or if it has two or more issues with the
same rating.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
Note
This parameter is not relevant in sites configured to calculate residual risk by risk domain. In these sites,
residual risk values are automatically updated based on the issues or effectiveness levels for controls.
Note
In sites configured to use findings rather than issues (see Allow users to create general and engagement-
related findings [page 349]), and domain based residual risk not enabled, this parameter allows editing of
residual risk ratings when there are at least two issues or findings with different ratings.
Restricts who can view control-based engagement risk assessment projects by global user group membership and
project group membership.
ID Application.SR.Engagement.EngagementVisibilityFilterByRole
The default setting of this parameter, Yes, restricts the permission of members of engagement-related global user
groups to view engagement risk assessment projects as follows:
• Users in the Supplier Risk Engagement Requestor global user group can only see those engagement risk
assessment projects for which they are a member of the Project Owner project group.
• Users in the Supplier Risk Engagement Expert global user group can only see those engagement risk
assessment projects in which they are either members of the Project Owner project group or control decision
makers.
• Users in the Supplier Risk Engagement Governance Analyst group can see all engagement risk assessment
projects.
If you set this parameter to No, the permissions instead work as follows:
• Users in the Supplier Risk Engagement Requestor global user group can only see those engagement risk
assessment projects for which they are the requestor or a member of the Project Owner project group.
• Users in the Supplier Risk Engagement Expert or Supplier Risk Engagement Governance Analyst group can
see all engagement risk assessment projects.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.IssueManagement.IssueVisibilityFilterByRole
The default setting of this parameter, Yes, restricts the permission of members of engagement-related global user
groups to view issue management projects as follows:
• Users in the Supplier Risk Engagement Requestor global user group can only see those issues for which they
are a member of the Project Owner project group.
• Users in the Supplier Risk Engagement Expert global user group can only see those issues in which they are
either members of the Project Owner project group or assignees.
• Users in the Supplier Risk Engagement Governance Analyst group can see all issue management projects.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.ReuseAnswersWhenResendingAssessments
Default value No
This parameter determines behavior when a decision maker chooses to resend assessments as part of reopening a
control review.
If the value is Yes, the questionnaire includes the supplier's prior answers, which they can edit and then resubmit
the assessment.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
Related Information
Specifies the number of modular questionnaire projects the system creates in each batch when assessments are
sent in engagement risk assessment projects. The system creates new batches of assessment questionnaires at
intervals. You can specify a value between 1 and 100.
ID Application.SR.Engagement.CreateQuestionnaireBatchSize
Default value 20
Sending assessments in a control-based engagement risk assessment project involves the creation of a new
modular supplier management questionnaire project for every assessment required by the engagement that was
not already completed in another engagement risk assessment project. If your engagement risk assessment
process requires a large number of assessments for each engagement project, there can be some delay between
when assessments are sent and when the assessment modular questionnaire projects are created as the system
generates batches of them at internals. Setting this parameter to a number higher than the default value can help
speed this process by using larger batches.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
ID Application.SR.Engagement.ShowRegisteredSuppliersOnly
Default value No
By default, the supplier selection step of the engagement request in control-based engagement risk assessment
projects shows all suppliers in your site. Setting this parameter to Yes means that only suppliers with a Registered
registration status show in this step. This filter steers requesters toward selecting suppliers for whom you have
already collected information and performed basic due diligence.
Only set this parameter to Yes if your site uses supplier registration projects. Suppliers can only achieve a
Registered registration status through an approved registration project. Registration projects are only available
in solutions that include SAP Ariba Supplier Lifecycle and Performance or SAP Ariba Supplier Information
and Performance Management (new architecture), where the registration project template must be set up and
published. There is no other way to set registration status for a supplier.
Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
ID Application.SR.Engagement.TreatControlRemovalAsSignificant
This parameter is relevant in sites using control-based engagement risk assessment projects, in which at least one
of the following parameters is enabled:
The value of this parameter determines how control removal is treated within the context of advanced edit of
an engagement request, a change request for a completed engagement, or an edit to a change request. In any
of these actions, an authorized user might change business details or responses to the inherent risk screening
questions such that a control, required for the previous version of the engagement or the change request, is no
longer needed.
Yes (default) Control removal activates both initial and final approval phases
for the engagement or change request.
No Control removal activates only the initial approval phase for the
engagement or change request.
Remember
If control removal is treated as Insignificant requiring
approval, the parameter Reopen all initial approval phase
tasks for insignificant changes requiring approval
(Application.SR.Engagement.ReopenAllIni
tialApprovalPhaseTasksForInsignificantC
hangesRequiringApproval) determines which
tasks open within the initial approval phase.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
When this parameter is set to Yes, the Custom Email tab appears in Ariba Administrator under Customization
Manager Branding Settings . In addition to the SAP Ariba logo and footer, the custom logo and footer that you
set in this tab appear in emails. When this parameter is set to No, only the SAP Ariba logo and footer appear in
emails.
ID Application.EnableCustomEmailLogoAndFooter
Name Use custom logo and footer for emails sent to suppliers
Default value No
You must be a member of the Customer Administrator or Event Administrator group to customize the invitations
sent to suppliers.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.
Related Information
These parameters apply to supplier management in SAP Ariba Supplier Lifecycle and Performance and SAP Ariba
Supplier Information and Performance Management (new architecture).
In guided buying sites, the navigation path is Manage SM Admin Configuration Parameters .
For more information on how to modify the settings of these parameters, refer to Managing Configuration
Parameters in SM Administration [page 430].
Table 7:
Parameter category Parameter name Default setting Description
Note
To set the ACM ID for sup-
pliers, your site must use
custom fields to store
ACM IDs through an im-
ported default properties
configuration where a ge-
neric custom field such as
vendor.supplierGe
nericCustomField.
ZS4ID is set to $
(vendor.vendorInf
o.s4OrgSystemId).
The integrated ERP sys-
tem must have a custom
implementation for the
corresponding custom
field. This parameter only
sends the ACM ID to the
integrated ERP system if
these configurations are
in place.
Note
Along with the con-
figuration parameter,
you must also enable
the Enable internal
supplier registrations pa-
rameter in Integration
Configuration Manager
to ensure the functionality
in available in your site.
Caution
If you want to disa-
ble internal registra-
tions, SAP Ariba rec-
ommends doing so
before any internal
registrations are cre-
ated in your site.
Disabling the feature
prevents completion
of any internal regis-
tration projects that
are in progress and
removes the mecha-
nism for inviting sup-
pliers to participate
in completed internal
registrations.
Note
Enabling or disabling this
parameter requires a cor-
responding change to
the Enable enhanced fil-
tering and pagination for
standalone modular ques-
tionnaires [page 374] pa-
rameter in Intelligent
Configuration Manager.
Always enable or disable
both parameters together.
Note
Enabling or disabling this
parameter requires a cor-
responding change to the
Enable modular process
framework parameter in
Intelligent Configuration
Manager. Always enable
or disable both parame-
ters together.
Note
Enabling or disabling this
parameter requires a cor-
responding change to the
Enable internal forms in
modular questionnaires
[page 377] parameter in
Intelligent Configuration
Manager. Always enable
or disable both parame-
ters together.
Caution
Only disable this parame-
ter together with the Use
Internal Format for ERP
Vendor Id feature, which
also adds leading zeros to
outbound ERP vendor IDs.
This feature must be dis-
abled by SAP Ariba Sup-
port.
ID configured in SM
Administration integration
settings in ERP search calls
for material master data. If
left blank, the ERP Business
system ID in integration set-
tings is also used for material
master data search.
Business partner key mapping Application.SM.BPKM.KeyM 147 Specifies the type code for
appingTypeCodeForBP
business partners in your site.
This type code is used during
business partner key mapping
synchronization from an inte-
grated ERP system.
Business partner key mapping Application.SM.BPKM.KeyM 888 Specifies the object schema
appingObjectSchemaCodeFo
code for business partners in
rBP
your site. This schema code
is used during business part-
ner key mapping synchroniza-
tion from an integrated ERP
system.
Business partner key mapping Application.SM.BPKM.KeyM 889 Specifies the UUID object
appingObjectSchemaCodeFo
schema code for business
rBPUuid
partners in your site. This
code is used during business
partner key mapping synchro-
nization from an integrated
ERP system.
Business partner key mapping Application.SM.BPKM.KeyM 266 Specifies the type code for
appingTypeCodeForSup
suppliers in your site. This
type code is used during busi-
ness partner key mapping
synchronization from an inte-
grated ERP system.
Business partner key mapping Application.SM.BPKM.KeyM 892 Specifies the object schema
appingObjectSchemaCodeFo
code for suppliers in your site.
rSup
This schema code is used dur-
ing business partner key map-
ping synchronization from an
integrated ERP system.
• PartnerFunction, to
set a supplier's vendor
type based on partner
function. Use
Application.SM.BPKM.M
ainVendorPartnerFuncti
onCodes,
Application.SM.BPKM.O
rderingPartnerFunction
Codes, and
Application.SM.BPKM.R
emittancePartnerFuncti
onCodes to specify the
partner function codes
that determine each ven-
dor type.
• All, to specify that all
suppliers are considered
main vendors (common
suppliers).
Note
All is the default setting
for this parameter. To con-
vert inbound vendor ob-
jects to remittance loca-
tions or supplier locations
where appropriate instead
of creating common sup-
pliers for all of them, use
the PartnerFunction
setting and related pa-
rameters.
Note
This setting isn't applica-
ble in sites that include
SAP Ariba Supplier Lifecy-
cle and Performance and
SAP Ariba Supplier Infor-
mation and Performance
Management (new archi-
tecture) where the sup-
port for partitioned sup-
pliers feature (SM-30017)
is enabled. SM-30017
doesn't currently support
multi-ERP configurations.
It's only applicable in SAP
Ariba solution landscapes
where the supplier master
data used in guided buy-
ing is created and main-
tained directly in SAP
Ariba Procurement solu-
tions.
Note
Along with the configura-
tion parameter, you must
also enable the Enable
improved user experience
for internal questionnaires
with visibility conditions
parameter in Integration
Configuration Manager
to ensure the functionality
in available in your site.
Note
Enabling or disabling this
parameter requires a cor-
responding change to
the Enable repeatable
sections in internal ques-
tionnaires parameter in
Intelligent Configuration
Manager. Always enable
or disable both parame-
ters together.
Note
This parameter is only ap-
plicable in sites where the
partitioned supplier data
feature (SM-30017) is en-
abled.
Caution
Make sure that your con-
figuration here matches
the length of name fields
in the integrated ERP sys-
tem. Mismatch between
maximum length of name
fields in SAP Ariba and
the integrated ERP sys-
tem can result in inconsis-
tencies or loss of data.
Related Information
The configuration parameters in SM Administration control some specific supplier management functionality.
Administrators can modify the values for these configuration parameters without having to raise a case with SAP
Ariba Support. Use this procedure to manage configuration parameters.
Prerequisites
Context
You modify parameter values to enable or disable functionality controlled by the configuration parameters. For
more information about specific parameters, refer to Reference of Configuration Parameters in SM Administration
[page 406].
• To see the parameter's description or modify its current value, choose Edit. If you're modifying a value,
choose or enter the new value and choose Save.
• To restore the parameter's default value, choose Reset.
Related Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements
with SAP) to this:
• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using such links,
you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and
phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example
code unless damages have been caused by SAP's gross negligence or willful misconduct.
Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities, genders,
and abilities.