Monitoring Supplier Risk

PUBLIC
Document Version: 2311 – 2023-11
Monitoring Supplier Risk

SAP Ariba Supplier Risk
SAP Ariba Supplier Risk, base edition
© 2023 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN

Content
Monitoring Supplier Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Topics About Understanding Supplier Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Supplier Risk as a Factor in Supplier Management Decisions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Alerts and Risk Exposure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Risk Alert Incident Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Step-by-Step Workflow for Managing Supplier Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Accessibility in SAP Ariba Supplier Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Topics About Monitoring Overall Risk and Managing Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Supplier Risk Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Alert Monitoring Using the Alert List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Natural Disaster Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Filtering the Alert List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Archiving Risk Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Sharing Risk Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Flagging and Sorting Risk Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Reporting One or More Adverse Media Risk Incidents for Feedback. . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Managing Subscriptions to Risk Alerts for Specific Suppliers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Configuring Risk Incident Severity Levels and Email Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Setting Up Email Notifications for Positive Incident Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Topics About Monitoring Risk for Individual Suppliers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Submitting Suppliers to a Provider for Risk Evaluation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Risk Exposure Information in a Supplier’s 360° Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Risk Incidents and Alert Trends in a Supplier’s 360° Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Enriched Corporate Information in a Supplier’s 360° Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Financial Information in a Supplier's 360° Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Regulatory and Legal Information in a Supplier’s 360° Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Engagement Risk Information in a Supplier’s 360° Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Custom Data in a Supplier’s 360° Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Exporting a Supplier's 360° Risk Profile as a PDF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Supplier Status Active Versus Inactive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Topics About Managing Control-Based Engagement Risk Assessment Projects. . . . . . . . . . . . . . 110

About Risk Controls in SAP Ariba Supplier Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
About the Basic Approval Workflow for Control-Based Engagement Risk Assessment Projects. . . . . . . . 114

2 PUBLIC Content
The Control-Based Engagement Risk Assessment Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
The Issue Management Process for Risk Controls and Control-Based Engagement Risk Assessment
Projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Viewing and Managing Control-Based Engagement Risk Assessment Projects. . . . . . . . . . . . . . . . . . . 120
Using the Action Queue. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Viewing Engagement History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
About requesters, project owners, and members of the Project Owner and Change Request
Owners project teams. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
About Residual Risk for Control-Based Engagement Risk Assessments. . . . . . . . . . . . . . . . . . . . . . . . 136
About Inherent Risk in Control-Based Engagement Risk Assessment Projects. . . . . . . . . . . . . . . . . . . 138
About Inherent Risk (Commodity) for Control-Based Engagement Risk Assessment Projects. . . . . . . . 139
Requesting a New Engagement and Starting a Control-Based Risk Assessment. . . . . . . . . . . . . . . . . . 140
Creating a New Engagement Request Triggered by a Non-Catalog Purchase Requisition. . . . . . . . . . . . .144
Linking an Existing Engagement Request to a Non-Catalog Purchase Requisition. . . . . . . . . . . . . . . . . 146
How to Upgrade an Engagement Project to the Latest Template Version. . . . . . . . . . . . . . . . . . . . . . . . 148
How to Change the Project Owner on the Engagement Page of a Control-Based Engagement Risk
Assessment Project. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
How to Manage Team Membership of the Project Owner Group in a Control-Based Engagement Risk
Assessment Project. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Viewing and Managing Your Tasks for an Engagement Risk Assessment Project. . . . . . . . . . . . . . . . . . 154
How to Manage Team Membership of the Change Request Owners Project Group. . . . . . . . . . . . . . . . . 156
How to Add Approvers for a Control-Based Engagement Request or Engagement Risk Assessment
Project. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
How to Approve or Deny a Request for a Control-Based Engagement Risk Assessment. . . . . . . . . . . . . 159
How to Change the Supplier Contact on the Engagement Page (Simple Workflow). . . . . . . . . . . . . . . . . 161
How to Edit an Engagement Request for a Control-Based Engagement Risk Assessment (Simple
Workflow). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
How to Edit an Engagement Request for a Control-Based Engagement Risk Assessment (Advanced
Workflow). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
About Editing a Previously Submitted Engagement Request (Advanced Editing Only). . . . . . . . . . . . . . 165
About Working with an Engagement While Updates Are in Process. . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Managing an Engagement After an Update Processing Error. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Canceling an Engagement Request for a Control-Based Engagement Risk Assessment (Simple
Workflow). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Canceling an Engagement Request for a Control-Based Engagement Risk Assessment (Advanced
Workflow). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Sending Assessment Questionnaires for a Control-Based Engagement Risk Assessment Project
(Simple Workflow). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Sending Assessment Questionnaires for a Control-Based Engagement Risk Assessment Project
(Advanced Workflow). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
How to Complete an Internal Assessment for a Control-Based Engagement Risk Assessment Project
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Requesting an Update or Changing the Recipient for a Modular Questionnaire. . . . . . . . . . . . . . . . . . . 185

Content PUBLIC 3
How to Approve or Deny an Internal Assessment Questionnaire for a Control-Based Engagement Risk
Assessment Project. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
How to Assign or Reassign a Control Review or Questionnaire To Do Task for an Engagement. . . . . . . . . 188
How to Fill Out and Submit a Supplemental Engagement Questionnaire. . . . . . . . . . . . . . . . . . . . . . . . 191
How to Approve or Deny a Supplemental Engagement Questionnaire. . . . . . . . . . . . . . . . . . . . . . . . . . 193
How to Raise an Issue for a Control-Based Engagement Risk Assessment or One of Its Risk Controls
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
How to Define, Analyze, or Resolve an Issue for a Control-Based Engagement Risk Assessment. . . . . . . 196
How to Manage Team Membership of the Assignee Project Group in an Issue Management Project
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
How to Add Approvers or Reviewers for an Issue in a Control-Based Engagement Risk Assessment
Project. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
How to Change the Residual Risk of a Control-Based Engagement Risk Assessment Project. . . . . . . . . 202
How to Approve or Deny a Control-Based Engagement Risk Assessment Project. . . . . . . . . . . . . . . . . 204
Topics About Managing Risk Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Using the Controls List Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Viewing and Managing Risk Controls Using the Control Details Page. . . . . . . . . . . . . . . . . . . . . . . .208
How to Change the Expiration Date of a Control Review Decision. . . . . . . . . . . . . . . . . . . . . . . . . . .214
How to Review a Pending Control for Effectiveness Using the Control Details Page (Two Levels)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
How to Review and Set the Effectiveness Level for a Risk Control or Service (Five Levels). . . . . . . . . 219
Skipping an Assessment Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
How to Skip a Control Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Reopening a Control Review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
How to Review a Pending Control for Effectiveness Using the Control Review Page. . . . . . . . . . . . . . 228
How to Re-Review a Completed Control and Change Its Effectiveness Status Using the Control
Review Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Topics About Processing an Engagement Change Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
About Opening an Engagement for Which a Change Request Is in Progress. . . . . . . . . . . . . . . . . . . 234
How to Change a Live Engagement Request by Processing a Change Request. . . . . . . . . . . . . . . . . 235
How to Edit an Engagement Change Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
About Editing a Previously Submitted Change Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
How to Approve or Deny a Change Request (Initial). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
How to Approve or Deny a Change Request with Significant Changes (Final). . . . . . . . . . . . . . . . . . 245
How to Cancel a Submitted Change Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
How to Revert a Draft Change Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
How to Cancel the Post-Project Approval Phase of a Control-Based Engagement Risk Assessment
Project. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
Topics About Processing a Periodic or Ad Hoc Review for an Engagement. . . . . . . . . . . . . . . . . . . . . . 250
How to Process a Periodic or Ad Hoc Review for an Engagement. . . . . . . . . . . . . . . . . . . . . . . . . . 250
About Opening an Engagement for Which a Review Is in Progress. . . . . . . . . . . . . . . . . . . . . . . . . . 254
How to Skip a Periodic Review for an Engagement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
How to Revert a Draft Review for an Engagement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

4 PUBLIC Content
How to Cancel a Periodic or Ad Hoc Review for an Engagement. . . . . . . . . . . . . . . . . . . . . . . . . . . 257
How to Edit an Engagement with a Review in Progress. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
How to Archive a Control-Based Engagement Risk Assessment Project (Simple Workflow). . . . . . . . . . 262
How to Archive a Control-Based Engagement Risk Assessment Project (Advanced Workflow). . . . . . . . 263
How to Cancel Archiving of a Control-Based Engagement Risk Assessment Project. . . . . . . . . . . . . . . .265
Copying a Control-Based Engagement Risk Assessment Project to Create a New Engagement Request
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Control-Based Engagement Risk Assessment Status Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
How to Run the Risk Control Summary Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
How to Run the Engagement processing error report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Analytical Reporting for Control-Based Engagement Risk Assessment Projects. . . . . . . . . . . . . . . . . . 275
Modular Questionnaire and Supplier Certificate Management. . . . . . . . . . . . . . . . . . . . . . . . . . . 279

About the Questionnaires Area in the Supplier 360° Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Supplier Certificate Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Inviting Suppliers to Fill Out Stand-Alone Modular Questionnaires. . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Requesting an Update or Changing the Recipient for a Modular Questionnaire. . . . . . . . . . . . . . . . . . . 287
Scores for Modular Questionnaires. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Approving or Denying an External Modular Questionnaire. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Ratings for Internal Forms and Questionnaires. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293
Filling out an Internal Form in a Modular Questionnaire Project. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Approving or Denying an Internal Form in a Modular Questionnaire Project. . . . . . . . . . . . . . . . . . . . . .296
Viewing Modular Questionnaire Projects Based on Previous Template Versions After Template
Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Status Flow for Modular Questionnaire Projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Creating and Managing Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Creating a Finding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
How to Access Findings Using the Findings Tile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Exporting Data and Running Reports on Supplier Risk and Related Activities. . . . . . . . . . . . . . . .307
Topics About Managing Legacy Risk Assessment Projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

The Legacy Risk Assessment Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
The Legacy Engagement Risk Issue Management Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Viewing and Managing Legacy Risk Assessment Projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
How to Request a New Engagement in a Legacy Risk Assessment Project. . . . . . . . . . . . . . . . . . . . . . . 314
How to Add Approvers to a Legacy Engagement Request or Risk Assessment. . . . . . . . . . . . . . . . . . . . 316
How to Approve or Deny a Legacy Engagement Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
How to Edit a Legacy Engagement Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
How to Cancel a Legacy Engagement Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
How to Raise an Issue for a Legacy Engagement Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
How to Define, Analyze, or Resolve a Legacy Engagement Risk Issue. . . . . . . . . . . . . . . . . . . . . . . . . . 323

Content PUBLIC 5
How to Add Approvers or Reviewers to a Legacy Engagement Risk Issue. . . . . . . . . . . . . . . . . . . . . . . 325
How to Send Legacy Engagement-Level Risk Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
How to Send Additional New or Resend Previously-Sent Legacy Engagement-Level Risk Assessments
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
How to Manually Skip Legacy Engagement-Level Risk Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . 331
How to Complete a Legacy Internal Engagement-Level Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . 332
How to Approve or Deny a Legacy Engagement-Level Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . . 333
Supplier or Third-Party Legacy Risk Assessment Project Status Flow. . . . . . . . . . . . . . . . . . . . . . . . . .335
Legacy Issue Management Project Status Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
How to Run the Legacy Engagement Summary Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Topics About Site Configuration Parameters for Setting Up SAP Ariba Supplier Risk. . . . . . . . . 340
Support-Enabled Site Configuration Parameters for SAP Ariba Supplier Risk. . . . . . . . . . . . . . . . . . . . 340
Self-Service Site Configuration Parameters for SAP Ariba Supplier Risk in Intelligent Configuration
Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Ability to select SAP business network as the data source for assessment responses . . . . . . . . 343
Add issue assignees to the assignee project group only. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Allow change requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Allow decision maker to skip an assessment response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Allow engagement Project Owner groups to inherit project group membership from the
template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Allow engagement requests with no supplier. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Allow no-effectiveness option for control review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Allow users to create general and engagement-related findings . . . . . . . . . . . . . . . . . . . . . . . . . 349
Allow using control effectiveness levels to evaluate residual risk by risk domain. . . . . . . . . . . . . 349
Allow using issues to evaluate residual risk by risk domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Calculate engagement level residual risk by risk domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351
Calculate inherent risk for engagements by risk domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Calculate supplier level inherent and residual risk by risk domain. . . . . . . . . . . . . . . . . . . . . . . .353
Calculate task due date based on predecessor completion date. . . . . . . . . . . . . . . . . . . . . . . . . 355
Create actions for control reviews and assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Create actions for engagement To Do and approval tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Define percentage-based scoring ratings and ranges for engagement questionnaires. . . . . . . . . 358
Define point-based scoring ratings and ranges for engagement questionnaires. . . . . . . . . . . . . .359
Define the amount of change allowed for engagement residual risk ratings. . . . . . . . . . . . . . . . .359
Disable participant view for supplier management questionnaires. . . . . . . . . . . . . . . . . . . . . . . 360
Enable action queue. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Enable advanced archiving workflow for engagement projects. . . . . . . . . . . . . . . . . . . . . . . . . . 362
Enable advanced engagement editing and canceling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Enable advanced send assessment workflow for engagement projects. . . . . . . . . . . . . . . . . . . . 363
Enable API updates for external modular questionnaires with any status. . . . . . . . . . . . . . . . . . 364
Enable assignee team management on issue projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

6 PUBLIC Content
Enable asynchronous processing for template upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Enable asynchronous processing of business details and the inherent risk screening
questionnaire. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Enable background processing for periodic review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Enable certificate sections in supplier management questionnaires . . . . . . . . . . . . . . . . . . . . . 368
Enable change project owner action on the engagement page. . . . . . . . . . . . . . . . . . . . . . . . . . 369
Enable control review workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Enable document types for engagement requests originating from non-catalog purchases
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Enable editability access control for the issue form. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Enable editing of in-progress change requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Enable engagement request document types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373
Enable engagement review workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Enable enhanced filtering and pagination for standalone modular questionnaires. . . . . . . . . . . . . . .374
Enable enhanced status information for assessments and risk controls . . . . . . . . . . . . . . . . . . . 375
Enable internal forms in modular questionnaires. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Enable manage project team action on the engagement page. . . . . . . . . . . . . . . . . . . . . . . . . . .378
Enable modular questionnaire template creation in sites with a basic supplier management
entitlement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Enable task enhancements in engagement projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Enable template upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Enable the enhanced engagement list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Expanded levels of risk control effectiveness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Hide names of empty questionnaire sections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Import risk assessment data for engagement requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Import risk assessment responses from external systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Include engagement context in assessment notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Manage user interactions during send assessments processing. . . . . . . . . . . . . . . . . . . . . . . . . 388
Manage user interactions during update processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Process engagement request questionnaires in the background. . . . . . . . . . . . . . . . . . . . . . . . 390
Process supplemental engagement questionnaires in the background. . . . . . . . . . . . . . . . . . . . 390
Remove country/region risk as a risk exposure contributing factor. . . . . . . . . . . . . . . . . . . . . . . 391
Remove obsolete issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Reopen all initial approval phase tasks for insignificant changes requiring approval. . . . . . . . . . . . . 394
Reopen post project approval phase with engagement review. . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Require issue completion for final engagement project approval. . . . . . . . . . . . . . . . . . . . . . . . 395
Require issues for ineffective risk control decisions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Require only attachment and expiration date for supplier certificates . . . . . . . . . . . . . . . . . . . . 397
Require only basic approval for engagement projects with no controls. . . . . . . . . . . . . . . . . . . . 398
Restrict editing of residual risk ratings based on engagement issues. . . . . . . . . . . . . . . . . . . . . 399
Restrict engagement project visibility by role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Restrict issue project visibility by role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Content PUBLIC 7
Reuse respondent answers when resending assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Set batch size for creating assessment questionnaires. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Show only registered suppliers in engagement projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Treat control removal as a significant change. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Use custom logo and footer for emails sent to suppliers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Self-Service Site Configuration Parameters in SM Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Reference of Configuration Parameters in SM Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Managing Configuration Parameters in SM Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430

8 PUBLIC Content
This guide is for SAP Ariba buyer users to monitor risk exposure and other risk-related data for suppliers, plus
manage engagements and risk alerts.
Buyers monitor the potential risk exposure of their current suppliers and assess the potential risk of new suppliers
before engaging with them for goods and services.
This guide applies to:
• SAP Ariba Supplier Risk

• SAP Ariba Supplier Risk, base edition
Related guides
Setting Up SAP Ariba Supplier Risk
Supplier Risk Data Import

Monitoring Supplier Risk PUBLIC 9
Topics About Understanding Supplier Risk
Supplier Risk as a Factor in Supplier Management Decisions [page 10]
Alerts and Risk Exposure [page 11]
Risk Alert Incident Types [page 12]
Step-by-Step Workflow for Managing Supplier Risk [page 68]
Supplier Risk as a Factor in Supplier Management

Decisions
Understanding a supplier's risk is an important factor in deciding whether and how to do business with the supplier.
At its simplest, SAP Ariba Supplier Risk alerts can bring critical incidents to your attention. For example, if there is a
natural disaster or production facility problem that affects a key supplier, you might need to search for alternatives.
Or if a supplier is sanctioned or put on a watch list, you might need to suspend purchase orders and contracts with
that supplier to avoid legal consequences.
But SAP Ariba Supplier Risk is useful for much more than reacting to emergencies. Risk data allows you to be
proactive in your supplier management decisions by doing things like:
• Segmenting your suppliers by risk

• Using risk as a factor when designating preferred suppliers
• Detecting signs of future trouble and monitoring the supplier more closely
• Doing more detailed research to assess the impact of incident alerts
• Following up with the supplier to get information about their plans to address regulatory or operational
compliance issues
• Asking for certifications
• Assessing the risk of potential engagements with new suppliers or other third parties
• Offboarding suppliers that you deem too risky
Related Information

Supplier Risk Dashboard [page 77]
Alert Monitoring Using the Alert List [page 80]
Risk Exposure Information in a Supplier’s 360° Profile [page 96]
Risk Incidents and Alert Trends in a Supplier’s 360° Profile [page 98]

10 PUBLIC Topics About Understanding Supplier Risk
Enriched Corporate Information in a Supplier’s 360° Profile [page 99]
The Legacy Risk Assessment Process [page 309]
Alerts and Risk Exposure

Alerts are messages that contain information about incidents that affect a supplier. They're one of the factors that
contribute to the supplier's risk exposure.
A supplier's risk exposure is a numerical value 1–100 that designates the supplier's level of risk, with 100 being the
riskiest and 1 the least risky. If a supplier's risk exposure shows as unknown, that means there isn't yet enough
information to calculate the exposure.
There are a number of different factors that affect a supplier's risk exposure, and those factors are weighted based
on your company's criteria. The factors include:
• News items about the supplier

• Corporate information about the supplier
• Geographical data on natural disasters
• Compliance information about the supplier, including legal, regulatory, and environmental risks
• Risk data associated with the supplier's country/region profile
• Structured risk information based on the supplier's corporate hierarchy
• Supplier relationship information such as internal ratings, spend volume, and strategic or preferred supplier
status
 Note
Risk alerts less than 60 days old are used in the supplier's risk exposure calculation. It doesn't matter if they're
in the alert list or the archive list. Once the alert is 60 days old, it's no longer included in the supplier's risk
exposure calculation.
Alerts notify you of incidents that affect the supplier, and are based on news items and data about natural
disasters.
 Note
SAP Ariba Supplier Risk maintains risk incidents from adverse media monitoring until they're 2 years old. At
that point, they're removed from the Alert feed tile on the Supplier Risk dashboard, the alert list, and the Risk
incidents tab in the supplier's 360° profile.
You can monitor supplier risk exposure and alerts on the Supplier Risk dashboard [page 77] and on the Risk tile in
individual supplier 360° profiles.
You can also customize the severity levels of the incidents that generate alerts [page 91] and subscribe to specific
incident alerts for specific suppliers [page 90].
 Note
SAP Ariba Supplier Risk gathers data, including articles, news reports, company information, and other third-
party content, from multiple public and private service providers. This data often includes either links to

Topics About Understanding Supplier Risk PUBLIC 11
third-party websites where the information is available or “inverse” links that bring the third-party data into SAP
Ariba Supplier Risk. SAP Ariba believes the sources of information to be reliable but has no control over any
aspect of these third-party sites, including accuracy, timeliness, products promoted, data collection policies, or
potential for distribution of computer viruses. SAP Ariba does not review content from third-party providers;
the information may contain errors and is provided to facilitate further research.
Related Information

Regulatory and Legal Information in a Supplier’s 360° Profile [page 104]
Engagement Risk Information in a Supplier’s 360° Profile [page 106]
Risk Alert Incident Types

SAP Ariba Supplier Risk includes predefined incident types with default severity levels. You can customize the
severity levels.
Table 1:
Incident Sub-Incident Description Risk Category Type Default Severity
Accident Aviation disasters Any event involv- Operational Negative Medium

ing aircraft where
a person is fa-
tally or seriously in-
jured, the aircraft
sustains a struc-
tural failure, or goes
missing.
Accident Building collapse Any kind of struc- Operational Negative Medium

tural failure and col-
lapse.
Accident Damaged A terrorist incident Operational Negative Medium

using a plane or
helicopter.

Accident Disasters and acci- A sudden negative Operational Negative Medium

dents event or catastro-
phe that causes
great damage or
loss of life. Cover-
ing both natural
and human-made
disasters.
Accident Explosion accidents Any explosion that Operational Negative Medium

wasn't caused de-
liberately.
Accident Fire disasters Any accidental or Operational Negative Medium

intentional fire.
Accident Industrial disasters Technological or in- Operational Negative Medium

dustrial accidents,
dangerous proce-
dures, infrastruc-
ture failures, or
certain human ac-
tivities that could
cause the loss
of life, injury, prop-
erty damage, so-
cial and economic
disruption, or en-
vironmental degra-
dation.
Accident Maritime disasters Any misfortune in- Operational Negative Medium

volving waterborne
transport including
maritime and in-
land waterway
transport.
Accident Mining disasters An accident that Operational Negative Medium

occurs during the
process of mining
minerals.
Accident Nuclear accidents Any accident in- Operational Negative Medium

volving radioactive
contamination.
Accident Railway disasters Any disaster involv- Operational Negative Medium

ing one or more
trains leading to an
accident or derail-
ment.

Accident Stampede An uncontrolled Operational Negative Medium

mass impulse
among a crowd of
people to run, of-
ten in an attempt
to escape a per-
ceived threat, often
leading to injury or
death.
Business expansion Business expansion The business seeks Financial Positive Low
out additional op-
portunities to in-
crease profit in-
cluding entering
new markets, re-
leasing new prod-
ucts, opening new
plants, or hiring on
a large scale.
Business expansion Challenger bank Events and activ- Financial Positive Low
ities related to
challenger banks.
Banks competing
with the traditional
banks, often online,
and prioritizing low
costs for their cus-
tomers.
Business expansion Digital banking The development, Financial Positive Low

implementation, or
use of digital bank-
ing services. All
banking products
and services are
online, web-based,
or through APIs.
Contract Contract bidding An open tender. Financial Positive Low
Contract New sales con- Any kind of busi- Financial Positive Low
tracts ness or sales con-
tract except corpo-
rate partnerships,
ownership changes,
and joint ventures.

Corporate ban Corporate ban Any kind of ban or Regulatory and le- Negative Medium
legal prohibition is- gal
sued directly to or
by a company, in-
cluding sanctions,
and embargoes.
Corporate bank- Bankruptcies The legal status of Financial Negative High

a company when
ruptcy
it's declared unable
to pay its debts and
requires relief.
Corporate credit Credit rating and A statement pro- Financial Negative Medium
downgrading of a vided by an inde-
rating downgrade
company pendent agency re-
flecting a decrease
in the likelihood
that a corporation
will fully meet its fi-
nancial obligations.
Corporate restruc- Business relocation A company moves Operational Negative Medium

part or all of its op-
turing
erations to a differ-
ent location. For ex-
ample, to another
country/region or
continent.
Corporate restruc- Business revitaliza- Actions taken by Operational Negative Medium

tion a company to
turing
improve business
performance, espe-
cially when it's
struggling.
Corporate restruc- Corporate restruc- A reorganization of Operational Negative Medium

turing the operations and
turing
interests of a cor-
poration.
Corruption and Corruption Acquiring an illicit Regulatory and le- Negative Medium
benefit usually by gal
bribery
bribery.
Corruption and Embezzlement A type of financial Regulatory and le- Negative Medium
fraud involving the gal
bribery
theft or misappro-
priation of funds
placed in one's
trust or belonging
to one's employer.

Corruption and Insider trading The illegal practice Regulatory and le- Negative Medium
of trading on the gal
bribery
stock exchange to
one's own advant-
age while having
access to confiden-
tial information.
Cyber security Blockchain technol- The implementa- Regulatory and le- Positive Low
ogy tion or use of block- gal
chain technology.
Cyber threats Backdoor vulnera- An undocumented Regulatory and le- Negative Medium
bility portal allowing an gal
administrator to
enter a computer
system to trouble-
shoot or do main-
tenance has been
compromised.
Cyber threats Buffer overflow at- The malicious ex- Regulatory and le- Negative Medium
tack ploitation of a fea- gal
ture used by a given
program to store
more data in a tem-
porary storage area
than it can hold.
Cyber threats Cyber breach This aggregates the Regulatory and le- Negative Medium
cyber threats inci- gal
dent type and all its
children. It's useful
if you don't need
to view the sub-in-
cidents.
Cyber threats Cyber espionage A form of cyber at- Regulatory and le- Negative Medium
tack used to obtain gal
classified, sensitive
data or intellectual
property to gain an
advantage over a
competitor or gov-
ernment entity.
Cyber threats Cyber squatting The registration, Regulatory and le- Negative Medium
trafficking in, or use gal
of an internet do-
main name with
the intent to profit
from the goodwill
of a trademark be-
longing to someone
else.

Cyber threats Cyber terrorism The use of comput- Regulatory and le- Negative Medium
ers and information gal
technology by ter-
rorists to cause se-
vere disruption or
widespread fear.
Cyber threats Cyber threats A vulnerability or Regulatory and le- Negative Medium
malicious attempt gal
to damage or dis-
rupt a computer
network or system.
Cyber threats Cybercrime A crime that in- Regulatory and le- Negative Medium
volves a computer gal
and a network. The
computer could
have been used in
the commission of
a crime, or it could
be the target.
Cyber threats Cyberwar The use of com- Regulatory and le- Negative Medium
puter technology to gal
disrupt the activi-
ties of a state, es-
pecially the deliber-
ate attacking of in-
formation systems
for strategic or mili-
tary purposes.
Cyber threats Data leak An unauthorized Regulatory and le- Negative Medium
disclosure of data gal
from within an or-
ganization to an ex-
ternal destination
or recipient.
Cyber threats Data privacy issues A failure to comply Regulatory and le- Negative Medium
with standards for gal
the handling and
protection of an
organization's per-
sonal or sensitive
data.

Cyber threats DDoS attack A distributed Regulatory and le- Negative Medium
denial-of-service gal
(DDoS) attack uses
multiple compro-
mised computer
systems to attack
a target, such as a
server, website or
other network re-
source, and cause
a denial of service
for users of the tar-
geted resource.
Cyber threats DNS attack An exploit where an Regulatory and le- Negative Medium
attacker takes ad- gal
vantage of vulner-
abilities in the Do-
main Name System
(DNS).
Cyber threats Hackers The unauthorized Regulatory and le- Negative Medium
access to, or con- gal
trol over, computer
network security
systems for some
illicit purpose.
Cyber threats Hacktivism The use of a com- Regulatory and le- Negative Medium
puter system or gal
network for a so-
cially or politically
motivated reason.
Cyber threats Identity theft In the context of Regulatory and le- Negative Medium
cyber security, the gal
crime of using an-
other persons per-
sonal information,
credit history, or
other identifying
characteristics in
order to make
purchases or bor-
row money without
that person's per-
mission.

Cyber threats Insider threat A malicious threat Regulatory and le- Negative Medium
to an organization gal
that comes from
employees, former
employees, con-
tractors, or busi-
ness associates
who have inside in-
formation concern-
ing the organiza-
tion's security prac-
tices, data, and
computer systems.
Cyber threats Keylogging The use of a com- Regulatory and le- Negative Medium
puter program to gal
record every key-
stroke made by a
computer user, es-
pecially in order to
gain fraudulent ac-
cess to passwords
and other confiden-
tial information.
Cyber threats Malware threat Malicious software Regulatory and le- Negative Medium
designed to infil- gal
trate and damage
computers without
a users consent.
Cyber threats Phishing threat A type of social en- Regulatory and le- Negative Medium
gineering attack of- gal
ten used to steal
user data, includ-
ing login creden-
tials and credit card
numbers.
Cyber threats Poor data security A lack of protec- Regulatory and le- Negative Medium
tive digital meas- gal
ures that are ap-
plied to prevent un-
authorized access
to computers, da-
tabases, and web-
sites.
Cyber threats Social engineering In the context of Regulatory and le- Negative Medium
attack cyber security, the gal
psychological ma-
nipulation of peo-
ple into performing
actions or divulg-
ing confidential in-
formation.

Cyber threats Spyware threat The risk of software Regulatory and le- Negative Medium
gathering informa- gal
tion about a per-
son or organization,
sometimes without
their knowledge.
Cyber threats SQL attack A security exploit Regulatory and le- Negative Medium
where the attacker gal
adds Structured
Query Language
(SQL) code to a
web form input box
to gain access to
resources or make
changes to data.
Cyber threats TCP flood attack A type of DDoS at- Regulatory and le- Negative Medium
tack that exploits gal
part of the nor-
mal Transmission
Control Protocol
( TCP) three-way
handshake to con-
sume resources on
the targeted server
and render it unre-
sponsive.
Cyber threats UDP flood attack A type of DDoS at- Regulatory and le- Negative Medium
tack where the at- gal
tacker overwhelms
random ports on
the targeted host
with IP packets
containing User Da-
tagram Protocol
(UDP) datagrams.
Cyber threats VOIP vulnerability A security vulnera- Regulatory and le- Negative Medium
bility related to the gal
Voice Over Internet
Protocol (VOIP).
Cyber threats Vulnerability In the context of Regulatory and le- Negative Medium
cyber security, the gal
state of being ex-
posed to the pos-
sibility of being at-
tacked or harmed.
Cyber threats Web drive by A form of malware Regulatory and le- Negative Medium
typically found on gal
compromised web
pages.

Cyber threats Web server com- An infected web Regulatory and le- Negative Medium
promise server. gal
Cyber threats Website deface- An attack on a web- Regulatory and le- Negative Medium
ment site that changes gal
the visual appear-
ance of the site or
a webpage.
Deteriorating finan- Asset forfeiture Any confiscation of Financial Negative Medium

assets by the state,
cial situation
typically in relation
to criminal activity.
Deteriorating finan- Credit risk The risk of default Financial Negative Medium
on a debt.
cial situation
Deteriorating finan- Deleveraging The process of re- Financial Negative Medium

ducing the level of
cial situation
ones debt by rap-
idly selling assets.
Deteriorating finan- Deteriorating finan- A weakening finan- Financial Negative Medium

cial situation cial position for
cial situation
a company, such
as when sales are
down, revenue falls,
or it experiences
any other general
financial problems.
Deteriorating finan- Distraint The seizure of Financial Negative Medium

someone's prop-
cial situation
erty in order to
obtain payment of
money owed.
Deteriorating finan- Extraordinary ex- Large, unexpected, Financial Negative Medium

penditures or unusual expendi-
cial situation
tures.
Deteriorating finan- Failure Any kind of failure. Financial Negative Medium
cial situation
Deteriorating finan- Financial risks Any kind of situa- Financial Negative Medium
tion that could lead
cial situation
to financial loss. For
example, budget
overrun, problems
with payment, col-
lection problems.
Deteriorating finan- Loss making Business activities Financial Negative Medium

that are unprofita-
cial situation
ble.

Deteriorating finan- Sales decrease A reduction in the Financial Negative Medium

overall number of
cial situation
sales during a given
time period.
Deteriorating finan- Stagnation A prolonged period Financial Negative Medium

of little or no
cial situation
growth.
Deteriorating finan- Stock delistings The removal of a Financial Negative Medium

company's shares
cial situation
from a stock ex-
change.
Divestment Divestment The action or proc- Financial Negative High

ess of selling off
subsidiary business
interests or invest-
ments for financial,
ethical, or political
objectives.
Downsizing Downsizing Employee layoffs as Financial Negative Medium

a strategy to re-
duce the size and
scope of a busi-
ness in order to im-
prove its financial
performance.
Environmental and Anticompetitive be- A position stifling Environmental and Negative Medium
havior or limiting free and social
social issue
fair competition in
a market.
Environmental and Anti-diversity be- The exclusion of Environmental and Negative Medium
havior people due to dif- social
social issue
ferences in the
background, eth-
nicity, race, sexual
orientation, and so
on.
Environmental and Association against An effort to weaken Environmental and Negative Medium
unions or diminish the in- social
social issue
fluence and power
of labor organiza-
tions that endeavor
to improve the eco-
nomic status and
conditions of work-
ers.

Environmental and Bonded labor When a person is Environmental and Negative Medium
forced to work to social
social issue
pay off a debt and
usually loses con-
trol over the condi-
tions of both their
employment and
the debt.
Environmental and Chemical oil spill Any environmental Environmental and Negative Medium
social
social issue disaster involving
chemicals, oils, or
their by-products.
Environmental and Child labor viola- The illegal or exploi- Environmental and Negative Medium
tions tative employment social
social issue
of children in an in-
dustry or business.
Environmental and Child slavery When a child has Environmental and Negative Medium
fallen into invol- social
social issue
untary servitude.
For example, due
to child traffick-
ing, child soldier-
ing, child marriage,
and child domestic
slavery.
Environmental and Competitive busi- A business prac- Environmental and Negative Medium
ness retaliation tice that threatens social
social issue
competitive retalia-
tion, restricting new
entrants from en-
tering a market.
Environmental and Conflict commodi- The illegal practice Environmental and Negative Medium
ties contra of producing or social
social issue
trading natural re-
sources extracted
from a conflict zone
often to perpetuate
war or fighting.
Environmental and Corporate waste Issues related to Environmental and Negative Medium
management a company's treat- social
social issue
ment or disposal of
the waste produced
through its opera-
tions.

Environmental and Corruption A form of dishon- Environmental and Negative Medium

esty or criminal ac- social
social issue
tivity undertaken by
a person or organ-
ization entrusted
with a position of
authority, often to
acquire illicit bene-
fit.
Environmental and Data privacy risk Practices that put Environmental and Negative Medium
at risk the protec- social
social issue
tion and dissemina-
tion of personal or
private information
about individuals or
organizations.
Environmental and Disadvantaged An inability to Environmental and Negative Medium

community provide a mini- social
social issue
mum level of serv-
ice or other sup-
port for a com-
munity, especially
disadvantaged peo-
ple, and underprivi-
leged groups.
Environmental and Disrespect of biodi- A failure to respect Environmental and Negative Medium
versity the range of ecolog- social
social issue
ical communities
that species form.
Environmental and Emissions stand- A breach of vehicle Environmental and Negative Medium
ards breach or industrial emis- social
social issue
sions standards
that results in pol-
lutants being re-
leased into the en-
vironment.
Environmental and Employee work- An instance when Environmental and Negative Medium
place misconduct an employee fails to social
social issue
exercise due care
or doesn't fulfill his
or her duties ac-
cording to an ex-
pected standard,
including an em-
ployee's violation
of the company's
code of conduct,
and misconduct in
the workplace.

Environmental and Employer health A failure of an em- Environmental and Negative Medium
safety violation ployer to properly social
social issue
account for the
safety, health, and
comfort of its work-
ers.
Environmental and Environmental dis- A catastrophic Environmental and Negative Medium

asters event regarding the social
social issue
environment due to
human activity.
Environmental and Environmental neg- A failure to take Environmental and Negative Medium
ligence reasonable care for social
social issue
the natural environ-
ment and its re-
sources.
Environmental and Evacuation The act of mov- Environmental and Negative Medium
ing people from a social
social issue
dangerous place to
safety.
Environmental and Female discrimina- Prejudice or dis- Environmental and Negative Medium
tion crimination affects social
social issue
women and girls
due to their gender.
Environmental and Forced labor Coercion to work Environmental and Negative Medium
through the use of social
social issue
violence or intimi-
dation.
Environmental and Fraudulent busi- Business practices Environmental and Negative Medium
ness practice that encompass social
social issue
fraud, misrepresen-
tation, and oppres-
sive or unconscion-
able acts or prac-
tices by business,
often against con-
sumers.
Environmental and Human workplace A failure to support Environmental and Negative Medium
rights negligence human rights and social
social issue
maintain a work en-
vironment that re-
flects respect for
human rights.
Environmental and Human rights con- Risks to the ba- Environmental and Negative Medium
cerns sic rights and free- social
social issue
doms that all hu-
mans are entitled.

Environmental and Improper use Negligent practices Environmental and Negative Medium
and/or disposal of involving the use, social
social issue
Persistent Organic storage, and dis-
Pollutants (POPs) posal of Persistent
and other toxic Organic Pollutants
chemicals and other toxic
chemicals which
have the potential
for harm to human
health or the envi-
ronment.
Environmental and Inappropriate use Failure to ade- Environmental and Negative Medium
of security forces quately train or social
social issue
instruct security
forces, or failure
of security forces
to work in conjunc-
tion with local com-
munities, leading
to human rights
abuses or security
incidents.
Environmental and Inexpensive cloth- Inexpensive cloth- Environmental and Negative Medium
ing manufacturing ing produced and social
social issue
marketed to con-
sumers in response
to the latest fashion
trends.
Environmental and Labor rights viola- A breach of rights Environmental and Negative Medium
tion having to do with social
social issue
labor relations be-
tween workers and
their employers,
usually obtained
under labor and
employment law.
Environmental and Laboratory animals Practices that don't Environmental and Negative Medium
negligence take into account social
social issue
the welfare, care,
and treatment of
animals used in lab-
oratory testing.
Environmental and Lack of transpar- The failure of Environmental and Negative Medium
ency in business a business to social
social issue
practices be open about
its goals, history,
performance, oper-
ations, traceability
of suppliers, and
components.

Environmental and Marriage of chil- Generally under- Environmental and Negative Medium
dren stood to involve social
social issue
girls as young as 7
or 8 who are forced
by their families to
marry much older
men. The practice
exposes girls to
increased health
problems and vio-
lence, and perpetu-
ates a cycle of pov-
erty and gender in-
equality.
Environmental and Modern slavery The recruitment, Environmental and Negative Medium
movement, harbor- social
social issue
ing or receiving of
children, women or
men through the
use of force, coer-
cion, deception, or
other means for the
purpose of exploi-
tation.
Environmental and Negative agricul- Practices such as Environmental and Negative Medium
tural practices intensive animal social
social issue
production, over-
use of antibiotics,
monoculture farm-
ing, land conver-
sion, or activities
that lead to habi-
tat loss, river and
groundwater pollu-
tion, soil erosion,
and such.
Environmental and Negligent use Negligent use Environmental and Negative Medium
and/or disposal of of mercury social
social issue
mercury and/or mercury
compounds and
improper treatment
of mercury waste.

Environmental and Negligent waste Practices that don't Environmental and Negative Medium
management prac- sufficiently ensure social
social issue
tices the sustainable
management of
waste such as land-
fill waste, off-gas-
sing from plastic
production, radio-
active waste, and
so on.
Environmental and Overproduction The production of Environmental and Negative Medium

more of a prod- social
social issue
uct than necessary
to meet market de-
mand. The result-
ing surplus is often
destroyed by the
producer.
Environmental and Packaging negli- The use of unsus- Environmental and Negative Medium
gence tainable packaging social
social issue
methods, such as
overpackaging, the
unnecessary use of
nonbiodegradable
packaging, and so
on.
Environmental and Poor recycling A failure to en- Environmental and Negative Medium
practices sure products can social
social issue
be easily and eco-
nomically recycled.
Such practices can
lead to surface wa-
ter contamination,
uncontrolled waste,
and so on.
Environmental and Poor supply chain Deficiencies in an Environmental and Negative Medium
practices organization’s sup- social
social issue
ply chain or logis-
tics network that
could lead to envi-
ronmental damage,
undue risk, waste
costs, late or ex-
tended payment
terms, and so on.

Environmental and Poor water man- Practices, strat- Environmental and Negative Medium
agement practices egies, and activi- social
social issue
ties that jeopard-
ize the sustaina-
ble management
of fresh water, in-
cluding contamina-
tion, poor wastewa-
ter management,
and the release of
harmful substances
into water sources.
Environmental and Population contra A failure to pro- Environmental and Negative Medium
mote activities, social
social issue
practices, and pro-
grams aimed at en-
suring a sustaina-
ble population. This
increases pressure
on the planet's re-
sources. For exam-
ple, water scarcity,
land use, and an in-
crease in carbon di-
oxide emissions.
Environmental and Product negligence A failure to suffi- Environmental and Negative Medium
ciently ensure that social
social issue
a product is safe
and suitable. For
example, lack of lia-
bility and due care,
the using of dan-
gerous substances
and chemicals, un-
expected side ef-
fects, and so on.
Environmental and Radioactive con- The unintended Environmental and Negative Medium
tamination social
social issue presence of radio-
active substances.
Environmental and Sex trafficking The practice of il- Environmental and Negative Medium
legally transporting social
social issue
people from 1 coun-
try/region or area
to another for the
purpose of sexual
exploitation.
Environmental and Terrorism support Activities support- Environmental and Negative Medium
ing the goals and social
social issue
use of terrorism.

Environmental and Transportation con- Transport that isn't Environmental and Negative Medium
tra socially and en- social
social issue
vironmentally sus-
tainable, doesn't
use renewable en-
ergy sources, and
so on.
Environmental and Unethical opera- The failure of a Environmental and Negative Medium
tions business to adhere social
social issue
to both the regu-
latory and ethical
consideration in its
operations.
Environmental and Unethical practice An action that falls Environmental and Negative Medium
outside of what is social
social issue
considered morally
right or proper for
a person, a profes-
sion, or an industry.
Environmental and Unethical work- Actions that fall Environmental and Negative Medium
place practices outside of what social
social issue
is considered mo-
rally right or proper
for an employee,
company represen-
tative, profession,
or industry.
Environmental and Unfair hours and A failure to pay Environmental and Negative Medium
wages workers fairly for social
social issue
their time spent
working or expect
them to work lon-
ger hours than local
legislation dictates.
Environmental and Unlawful infringe- Any kind of unlaw- Environmental and Negative Medium
ment of land rights ful eviction of land, social
social issue
such as denial of
the right of owner-
ship or land grab-
bing.
Environmental and Unsustainable en- The production or Environmental and Negative Medium
ergy use use of energy re- social
social issue
sources in an un-
ethical or unsus-
tainable method.
Environmental and Unsustainable ethi- Practices that don't Environmental and Negative Medium
cal practices support sustaina- social
social issue
ble or ethical ap-
proaches, behavior,
etc.

Environmental and Unsustainable prin- Refers to practices Environmental and Negative Medium
ciples that are exploita- social
social issue
tive, inhumane, ne-
glectful, nontrans-
parent, noncompli-
ant, unsustainable,
unethical, and so
on.
Environmental and Unsustainable A failure to buy sus- Environmental and Negative Medium
product consump- tainable products social
social issue
tion and services that
have a minimal
impact on the
environment. The
growth of human
population, and
consumption are
principal factors
affecting climate
change.
Environmental and Unsustainable use The use of natural Environmental and Negative Medium
of resources resources in a way social
social issue
that leads to their
long-term decline.
Environmental and Water contamina- The contamination Environmental and Negative Medium
tion of any kind of wa- social
social issue
ter body including
ground water and
tap water, usually
as a result of hu-
man activities.
Environmental and Whistleblowing and Retribution taken Environmental and Negative Medium
workplace retalia- against an em- social
social issue
tion ployee who com-
plains of fraud,
illegal activities,
or other wrongful
dealings in the
workplace.
Environmental and Workplace abuse Mistreatment in Environmental and Negative Medium

the workplace that social
social issue
causes either phys-
ical or emotional
harm such as sex-
ual abuse, mental
or physical coer-
cion, verbal abuse,
sexual harassment,
and so on.

Environmental and Workplace prejudi- The unfair treat- Environmental and Negative Medium
ces ment of employees social
social issue
based on prejudi-
ces.
Environmental and Workplace training A failure to provide Environmental and Negative Medium
negligence adequate training social
social issue
to staff.
Ethical practice Against modern Opposition to mod- Environmental and Positive Low
slavery ern slavery. For social
example, human
trafficking, compel-
led labor, coercive
practices, and so
on.
Ethical practice Animal well-being Practices that con- Environmental and Positive Low
sider all aspects of social
animal well-being,
including proper
housing, manage-
ment, nutrition, dis-
ease prevention,
and treatment.
Ethical practice Child labor opposi- Any initiative or Environmental and Positive Low
tion event opposed to social
the employment
of children. Espe-
cially, when illegal
or considered ex-
ploitative.
Ethical practice Competitive behav- A position advocat- Environmental and Positive Low
ior ing free and fair social
competition in a
market.
Ethical practice Corruption preven- Any initiative de- Environmental and Positive Low
tion signed to eradicate social
or prevent dishon-
est or fraudulent
conduct, typically
involving bribery.
Ethical practice Data privacy practi- Practices that en- Environmental and Positive Low
ces sure data belonging social
to users, such as
customers, is prop-
erly handled and in
a manner compli-
ant with regulatory
concerns.

Ethical practice Discrimination free A workplace that Environmental and Positive Low
workplace shows no tolerance social
for the unfair treat-
ment of employees
based on prejudi-
ces.
Ethical practice Diversity and inclu- Efforts to promote Environmental and Positive Low
sion in the work- the collective mix- social
place ture of differen-
ces and similarities
within a workplace
or team and ensure
that all individuals
are treated fairly
and have equal ac-
cess to opportuni-
ties and resources.
Ethical practice Diversity inclusion A concept encom- Environmental and Positive Low
passing acceptance social
and respect for an
individual's ideas,
viewpoints, back-
grounds, and so on.
Ethical practice Employee health Initiatives aimed Environmental and Positive Low
and safety initia- at ensuring safety, social
tives well-being, and
health at the work-
place.
Ethical practice Environmental best Measures and Environmental and Positive Low
practices strategies aimed at social
minimizing the im-
pact of an activity
on nature and the
environment.
Ethical practice Ethical compliance The adherence of Environmental and Positive Low
the business to social
both regulatory and
ethical considera-
tion in its opera-
tions.
Ethical practice Ethical practices An entity is behav- Environmental and Positive Low
ing ethically. For ex- social
ample, using eco-
logical, sustainable
practices, promot-
ing zero-waste, a
cage-free environ-
ment, and so on.

Ethical practice Ethically sourced Efforts to ensure Environmental and Positive Low
materials supply chains don't social
rely on materials
that are sourced
from conflict or war
zones and would
consequently sup-
port or prolong the
conflict.
Ethical practice Fair hours and Any initiative aimed Environmental and Positive Low
wages at obtaining or social
protecting workers'
rights to minimum
wage, overtime pay,
and record keeping.
Ethical practice Fair labor practices A commitment to Environmental and Positive Low
the fair and equi- social
table treatment of
employees.
Ethical practice Fair trade Practices that en- Environmental and Positive Low
courage companies social
in developed coun-
tries/regions to pay
fair prices to pro-
ducers in devel-
oping countries/re-
gions.
Ethical practice Female equality A commitment to Environmental and Positive Low

providing women social
and girls with equal
access to educa-
tion, health care,
decent work, and
political and eco-
nomic representa-
tion.
Ethical practice Green product mar- The marketing of Environmental and Positive Low
keting products or serv- social
ices based on
their environmental
benefits. For exam-
ple, improvements
to the production
process, sustaina-
ble packaging, and
so on.

Ethical practice Initiatives for toxic Practices and/or Environmental and Positive Low
chemicals reduc- initiatives aiming social
tion towards the reduc-
tion or elimination
of toxic chemicals,
thereby lessening
the impact on cli-
mate, ecosystems
and biodiversity.
Ethical practice Local supplier sup- Preferential sup- Environmental and Positive Low
port port for local serv- social
ice providers and
producers, includ-
ing respect their
needs and require-
ments.
Ethical practice Opposed to com- A business prac- Environmental and Positive Low
petitive business tice that doesn't social
retaliation threaten competi-
tive retaliation, al-
lowing new en-
trants to enter a
market.
Ethical practice Opposition of child Opposition to the Environmental and Positive Low
marriage marriage of girls social
as young as 7 or
8 who are forced
by their families to
marry much older
men exposing them
to increased health
problems and vio-
lence.
Ethical practice Opposition to ter- Any movement or Environmental and Positive Low
rorism initiative that op- social
poses the use of
terrorism.
Ethical practice Packaging best Efforts made to Environmental and Positive Low
practices ensure products social
are packaged with
minimal impact to
the environment.
For example, quan-
tity of materials
used, resources
needed to trans-
port, waste dis-
posal, biodegrada-
ble packaging.

Ethical practice Positive agriculture Farming practices Environmental and Positive Low
practices that produce suffi- social
cient food while re-
specting the envi-
ronment.
Ethical practice Positive business An enterprise that Environmental and Positive Low
practices has minimal neg- social
ative impact on
the global or local
environment, com-
munity, society,
or economy, often
having progressive
environmental and
human rights poli-
cies.
Ethical practice Positive waste Activities such as Environmental and Positive Low
management prac- recycling, compost- social
tices ing, reusing, and re-
ducing waste that
help to minimize
the amount of
waste.
Ethical practice Pro labor rights Promoting the Environmental and Positive Low
rights of workers. social
For example, pay,
benefits, and safe
working conditions.
Ethical practice Quality manufac- Practices ensuring Environmental and Positive Low
turing quality manufactur- social
ing to lengthen the
life of the garment
encouraging slower
production sched-
ules, fair wages,
lower carbon foot-
prints, and ideally
zero waste.
Ethical practice Recycling best Efforts made to en- Environmental and Positive Low
practices sure products can social
be easily and eco-
nomically recycled,
or products that al-
ready use recycled
materials.

Ethical practice Sustainable use of The use of natural Environmental and Positive Low
resources resources in a way social
that doesn't lead
to their long-term
decline, maintains
their potential to
meet the needs of
a society, and limits
the impact on the
environment.
Ethical practice Respect of human A commitment to Environmental and Positive Low

rights respect the basic social
rights and free-
doms that all hu-
mans are entitled
to.
Ethical practice Responsible pur- All purchasing Environmental and Positive Low
chasing practices processes follow social
ethical and sustain-
able principles and
show respect for
society and the en-
vironment.
Ethical practice Retaliation free An effort to pro- Environmental and Positive Low
workplace vide a working envi- social
ronment where em-
ployees don't fear
any punishment
or negative conse-
quences due to
their participation
in legally protected
activities such as
whistleblowing.
Ethical practice Startup friendly Welcoming or ac- Environmental and Positive Low
commodating to social
young, newly estab-
lished businesses.
Ethical practice Support of emis- Efforts to lower the Environmental and Positive Low
sion standards amount of carbon social
dioxide and green-
house gases cre-
ated by productive
activities.
Ethical practice Support of human Promotion and sup- Environmental and Positive Low
and workplace port of human social
rights rights; a work en-
vironment that re-
flects a respect for
human rights.

Ethical practice Support of unions Support for organ- Environmental and Positive Low
ized associations of social
workers with the
aim of improving
their economic sta-
tus and working
conditions.
Ethical practice Supportive of train- Promotion of ongo- Environmental and Positive Low
ing ing education and social
training of employ-
ees.
Ethical practice Sustainable princi- Refers to responsi- Environmental and Positive Low
ples bility, sustainability, social
transparency, inclu-
sion, sound envi-
ronmental or ethi-
cal practices, and
so on.
Ethical practice Sustainable and Any positive posi- Environmental and Positive Low
ethical practices tion related to sus- social
tainable and ethical
practices.
Ethical practice Sustainable com- Any positive initia- Environmental and Positive Low
munities tive to promote social
sustainable com-
munities with a
focus on urban
infrastructure, so-
cial equity, local
government, envi-
ronmental and eco-
nomic sustainabil-
ity.
Ethical practice Sustainable energy The principle where Environmental and Positive Low
use human use of en- social
ergy meets the
needs of the
present without
compromising the
ability of future
generations, while
also using ethical
and sustainable
methods to deliver
the energy.

Ethical practice Sustainable innova- Research and de- Environmental and Positive Low
tion and R&D velopment that social
takes into ac-
count environmen-
tal, social, ethical,
and economic con-
cerns.
Ethical practice Sustainable prod- The use of prod- Environmental and Positive Low
uct consumption ucts and services social
that have a minimal
impact on the envi-
ronment.
Ethical practice Sustainable prod- Ethically based Environmental and Positive Low
uct development product develop- social
ment and pro-
duction practices
that provide envi-
ronmental, social,
and economic ben-
efits while protect-
ing public health
and environment
over their whole life
cycle.
Ethical practice Sustainable supply A supply chain or Environmental and Positive Low
chain logistics network social
that is ethically
based and sustain-
able in terms of its
impact on the en-
vironment, waste,
and so on.
Ethical practice Sustainable trans- Transport that is Environmental and Positive Low
portation socially and en- social
vironmentally sus-
tainable, uses re-
newable energy
sources, and so on.
Ethical practice Transparency of Openness about a Environmental and Positive Low

business practices business's goals, social
history, perform-
ance, and oper-
ations, including
traceability of sup-
pliers and compo-
nents.

Ethical practice Water conservation All practices, strat- Environmental and Positive Low
and protection egies, and activities social
to sustainably man-
age the natural re-
source of fresh wa-
ter.
Financial penalty Financial penalty A fine that a corpo- Financial Negative Medium
ration must pay as
a result of breaking
a law, regulation, or
terms of a contract.
Geopolitical issue Attack Any involvement of Operational Negative Low

an entity in an
aggressive action
taken by an individ-
ual or group against
another, or a mili-
tary act against
a person, people,
country/region, or
group.
Geopolitical issue Blockade The sealing off of Operational Negative Low

a place to prevent
goods or people
from entering or
leaving.
Geopolitical issue Bomb incident An incident involv- Operational Negative Low

ing a bomb.
Geopolitical issue Bombing Any military air- Operational Negative Low

strike.
Geopolitical issue Border issues Any incident oc- Operational Negative Low
curring around
a country/region
border such as
disputes, provoca-
tions, attacks, in-
trusions, strikes, or
closures.
Geopolitical issue Brexit Events, implica- Operational Negative Low

tions, or outcomes
related to Brexit,
the process in
where the United
Kingdom withdrew
from the European
Union.

Geopolitical issue Capital flight A rapid outflow of Operational Negative Low

money or assets
from a country/re-
gion due to an
event of economic
consequence.
Geopolitical issue Car bombing The act of delib- Operational Negative Low
erately detonating
an explosive device
with the use of a
car.
Geopolitical issue Civil disobedience The refusal to com- Operational Negative Low
ply with certain
laws considered
unjust, usually as a
nonviolent form of
political protest.
Geopolitical issue Controversial An action or event Operational Negative Low

that gives rise to
controversy or pub-
lic disagreement.
Geopolitical issue Country/Region A failure or refusal Operational Negative Low

default of the government
of a sovereign state
to pay back its debt
in full.
Geopolitical issue Country/Region An official warn- Operational Negative Low

travel warning ing statement is-
sued by a govern-
ment concerning
the danger of trav-
eling to a foreign
country/region or
destination.
Geopolitical issue Credit rating down- A statement pro- Operational Negative Low
grade of a coun- vided by an inde-
try/region pendent agency re-
flecting a decrease
in the likelihood
that a country/re-
gion will fully meet
its financial obliga-
tions.

Geopolitical issue Curfew A regulation imple- Operational Negative Low

mented by author-
ities that requires
people to remain
indoors between
specified hours,
usually at night,
and is usually is-
sued during peri-
ods of calamity,
disaster, war, or un-
rest.
Geopolitical issue Diplomatic protest A tactic used by Operational Negative Low

governments to
protest or object to
the actions of an-
other government.
Geopolitical issue Electrical power A short-term or Operational Negative Low

blackout long-term loss of
electric power to a
particular area.
Geopolitical issue Famine A widespread scar- Operational Negative Low

city of food caused
by several factors
including war, in-
flation, crop fail-
ure, population im-
balance, or govern-
ment policies.
Geopolitical issue Financial mecha- A collapse of any Operational Negative Low

nism failure crucial financial
institution such
as European Finan-
cial Stability Fa-
cility (EFSF), Eu-
ropean Stability
Mechanism (ESM),
International Mone-
tary Fund (IMF),
or the devaluation
of top international
currencies.
Geopolitical issue Harassment Behavior that de- Operational Negative Low

means, humiliates,
or embarrasses a
person.

Geopolitical issue Hate crime A crime that occurs Operational Negative Low
when a perpetrator
targets a victim or
group of victims
belonging to a cer-
tain social group or
race.
Geopolitical issue Humanitarian crisis A singular event or Operational Negative Low

a series of events
that threaten the
health, safety, or
well-being of a
community or large
group of people.
Geopolitical issue Hunger strike A method of non- Operational Negative Low

violent resistance
where participants
fast as an act of po-
litical protest or to
achieve a specific
goal.
Geopolitical issue Immigration flows A high number Operational Negative Low

of migrants enter-
ing or leaving
a given country/re-
gion during a given
period of time.
Geopolitical issue Infrastructure fail- Financial crisis Operational Negative Low

ure affecting coun-
tries/regions, or
national banks
characterized by a
lack of cash flow.
Geopolitical issue International inci- An event or oc- Operational Negative Low

dent currence, often
with negative con-
notations, between
two or more coun-
tries/regions.
Geopolitical issue International ten- Tensions originate Operational Negative Low

sions and grow between
various nations be-
cause of several
social, political, re-
ligious, economic,
and other reasons.
Geopolitical issue Intimidation Behavior intended Operational Negative Low

to cause fear of in-
jury or harm.

Geopolitical issue Lobbying The act of attempt- Operational Negative Low

ing to influence ac-
tions, policies, or
decisions of offi-
cials through docu-
mented channels.
Geopolitical issue Lockdown Lockdowns initi- Operational Negative Low

ated by a govern-
ment or official au-
thority, typically be-
cause of public
health or security
concerns.
Geopolitical issue Meddling Deliberate and Operational Negative Low

unwanted interfer-
ence into affairs by
an outside actor.
Geopolitical issue Militant incident Any violent act in Operational Negative Low
support of a politi-
cal or social cause.
Geopolitical issue Militarization A situation where Operational Negative Low

a country/region,
group, or geo-
graphic location is
engaged in or is in
the process of or-
ganizing itself for
military conflict and
violence.
Geopolitical issue Military exercise The employment of Operational Negative Low

military resources
in training to en-
sure readiness for
operations.
Geopolitical issue Persona non grata An instance Operational Negative Low

wherein a foreign
person is prohib-
ited from entering
or remaining in
a particular coun-
try/region by the
government of that
country/region.
Geopolitical issue Protest demonstra- An action by a Operational Negative Low

tion mass group of peo-
ple in protest to
a political or other
cause.

Geopolitical issue Purges The removal of peo- Operational Negative Low

ple or groups who
are considered un-
desirable by those
in power.
Geopolitical issue Riot A violent public Operational Negative Low

disturbance against
authority, property,
or people. Riots
typically involve
theft, vandalism,
and the destruction
of property.
Geopolitical issue Scandal An action or event Operational Negative Low

regarded as morally
or legally wrong
and causing gen-
eral public outrage.
Geopolitical issue Siege A military opera- Operational Negative Low

tion where armed
forces surround a
town or building,
cutting off essential
supplies, with the
aim of compelling
those inside to sur-
render.
Geopolitical issue Spy affair An event that could Operational Negative Low
involve some form
of espionage and
was publicized.
Geopolitical issue State of emergency A situation where Operational Negative Low

a government is
empowered to per-
form actions that
it would normally
not be permitted.
For example, during
a disaster, public
health crisis, civil
unrest, or armed
conflict.
Geopolitical issue Suicide bombing Any violent attack Operational Negative Low
where the attacker
expects their own
death as a well as
the death of others.
Geopolitical issue Surrender An act of capitula- Operational Negative Low

tion.

Geopolitical issue Terrorist bombing Any bomb incident Operational Negative Low
possibly related to
terrorism.
Geopolitical issue Terrorist incident An event reported Operational Negative Low

to have been initi-
ated by or have a
connection to a ter-
rorist organization.
Geopolitical issue Terrorist incident in A terrorist incident Operational Negative Low

aviation using a plane or
helicopter.
Geopolitical issue Terrorist support Activities support- Operational Negative Low

ing the goals and
use of terrorism.
Geopolitical issue Unrest Mass acts of diso- Operational Negative Low

bedience including
demonstrations, ri-
ots, disorder, and
such, that have a
negative impact on
public law and or-
der.
Geopolitical issue Use of weapons of The use of a Operational Negative Low

mass destruction weapon of mass
destruction such
as nuclear, radio-
logical, chemical,
biological, or other
weapon to kill and
bring significant
harm to a large
number of humans.
Illegal trade Human organ traf- The illegal trade of Regulatory and le- Negative Medium
ficking human organs, tis- gal
sues, or other body
parts.
Illegal trade Human trafficking The practice of il- Regulatory and le- Negative Medium
legally transporting gal
people from 1 coun-
try/region or area
to another, typically
for the purposes
of forced labor or
commercial sexual
exploitation.
Illegal trade Illegal trade The action of buy- Regulatory and le- Negative Medium
ing and selling pro- gal
hibited goods and
services.

Illegal trade Women trafficking The recruitment, Regulatory and le- Negative Medium
transportation, gal
transfer, harboring,
or receipt of
women and girls for
the purpose of slav-
ery, forced labor,
and sexual exploita-
tion.
Insolvency Insolvency When an individual Financial Negative High

or organization can
no longer meet
its financial obliga-
tions.
Intellectual prop- Copyright viola- The use of works Regulatory and le- Negative High
tions protected by copy- gal
erty infringement
right law without
permission.
Intellectual prop- Intellectual prop- The violation of Regulatory and le- Negative High
erty infringement an intellectual gal
erty infringement
property right.
For example, copy-
rights, patents,
trademarks, and so
on.
Intellectual prop- Patent infringe- The use of a pa- Regulatory and le- Negative High
ment tented invention gal
erty infringement
without permission
from the patent
holder.
Intellectual prop- Trademark infringe- The unauthorized Regulatory and le- Negative High
ment use of a trademark gal
erty infringement
to promote com-
peting goods and
services.
International sanc- International sanc- The imposition Regulatory and le- Negative High
tions of commercial gal
tions
and financial pen-
alties by one or
more countries/re-
gions against a tar-
geted self-govern-
ing state.
Joint ventures part- Corporate partner- Any kind of part- Financial Positive Low
ships nership between a
nership
company and any
other organization.
For example, an-
other company or
university.

Joint ventures part- Joint ventures A business entity Financial Positive Low
created by two or
nership
more parties, gen-
erally characterized
by shared owner-
ship, returns and
risks, and gover-
nance.
Labor issue General strike Strike action where Operational Negative Low
a substantial pro-
portion of the total
labor force in a city
or country/region
participates.
Labor issue Human rights viola- The abuse, neglect, Operational Negative Low
tions or denial of ba-
sic human rights,
including civil, po-
litical, cultural, so-
cial, and economic
rights.
Labor issue Labor accident An unintended Operational Negative Low

event that occurs
at work and leads
to an injury or
death.
Labor issue Labor dispute Strike action or in- Operational Negative Low
dustrial action un-
dertaken by labor
unions.
Labor issue Racism discrimina- Racism or discrimi- Operational Negative Low

tion nation of any kind.
Labor issue Suspicion A doubt, mistrust, Operational Negative Low

or misgiving about
something.
Labor issue Torture The act of deliber- Operational Negative Low

ately inflicting se-
vere physical or
psychological suf-
fering on someone
as a punishment or
to force some ac-
tion from the vic-
tim.

Leaving Leaving Any departure re- Operational Negative Low

lated to a com-
pany. For example,
leaving a market
or country/region,
a senior executive
leaves a company,
and so on.
Legal issue Accused An entity blaming Regulatory and le- Negative Medium
or being blamed by gal
another entity for
something illegal or
wrong.
Legal issue Arbitration A proceeding where Regulatory and le- Negative Medium
a dispute is re- gal
solved by an impar-
tial adjudicator out-
side the courts.
Legal issue Boycott The nonviolent, in- Regulatory and le- Negative Medium
tentional, and coor- gal
dinated abstinence
from any kind of
dealings with a per-
son, company, or-
ganization, or coun-
try/region. Usually
arranged as a form
of protest mainly
for moral, environ-
mental, or political
reasons.
Legal issue Company is subject Any case where Regulatory and le- Negative Medium
of corporate lawsuit a given company gal
is the subject of
legal proceedings
taken by another
company.
Legal issue Complaints A statement high- Regulatory and le- Negative Medium
lighting an issue gal
or expressing criti-
cism.
Legal issue Corporate crime A crime committed Regulatory and le- Negative Medium
either by a corpora- gal
tion, or by individu-
als acting on behalf
of a corporation, or
other business en-
tity.

Legal issue Corporate lawsuit Any case where Regulatory and le- Negative Medium
against another a given company gal
company is taking legal pro-
ceedings against
another.
Legal issue Corporate lawsuits The entire process Regulatory and le- Negative Medium
of a company is- gal
suing a lawsuit
against another
company or vice
versa.
Legal issue Counterfeiting An imitation made Regulatory and le- Negative Medium
with the intent to gal
deceive.
Legal issue Criminal procedure Any step within the Regulatory and le- Negative Medium
criminal procedure gal
taken against the
entity of interest.
Legal issue Expropriation When a country/re- Regulatory and le- Negative Medium
gion or government gal
seizes the property
rights of an individ-
ual.
Legal issue Extortions The practice of ob- Regulatory and le- Negative Medium
taining something, gal
especially money,
through the use of
force or threats.
Legal issue Feud A prolonged and Regulatory and le- Negative Medium
bitter quarrel or gal
dispute between 2
individuals, groups,
societies, or com-
panies.
Legal issue Fraud and forgery Any kind of de- Regulatory and le- Negative Medium
ception, scam, or gal
deceit. Forgery in-
volves a false docu-
ment, signature, or
other imitation of
an object of value
used with the intent
to deceive another.
Those who commit
forgery are often
charged with the
crime of fraud.

Legal issue Racket An organized crim- Regulatory and le- Negative Medium
inal act to earn il- gal
legal or extorted
money regularly or
briefly but repeat-
edly.
Legal issue Ransom The practice of Regulatory and le- Negative Medium
holding a person or gal
item with the aim
to extort money
or property in ex-
change for their re-
lease.
Liquidity crisis Liquidity crisis Financial crisis Financial Negative Medium

affecting coun-
tries/regions or na-
tional banks char-
acterized by a lack
of cash flow.
Liquidity improve- Liquidity improve- Initiatives under- Financial Positive Low

ment taken by a com-
ment
pany to improve liq-
uidity.
Natural disaster Avalanche A mass of snow Operational Negative High

and ice falling rap-
idly down a moun-
tainside.
Natural disaster Drought and heat A period of sev- Operational Negative High
wave eral days to weeks
of abnormally hot
weather that is of-
ten associated with
droughts.
Natural disaster Earthquake Any tremor, shock, Operational Negative High
or aftershock of the
earth's surface.
Natural disaster
monitoring pro-
vided by Global Dis-
aster Alert and Co-
ordination System
(GDACS)
Natural disaster Earthquake erup- Any tremor, shock, Operational Negative High
tion tsunami or aftershock of the
earth's surface.

Natural disaster Flood A dangerous over- Operational Negative High
flow of water
(usually of rivers
and sea) that sub-
merges land that is
usually dry.
Natural disaster
monitoring pro-
aster Alert and Co-
ordination System
(GDACS)
Natural disaster Geomagnetic A temporary dis- Operational Negative High

storm turbance of the
Earth's magnetic
sphere.
Natural disaster Hurricane Any kind of tropi- Operational Negative High

cal cyclone or rap-
idly rotating storm
system, including
hurricane, typhoon,
and cyclonic storm.
Natural disaster Landslide A sliding mass of Operational Negative High

earth or rock de-
taching from a
mountain, hillside,
cliff, or the appear-
ance of a sinkhole.
Natural disaster Landslide and ava- A large mass of Operational Negative High
lanche snow, rocks, mud,
or debris suddenly
detaching from a
mountain or hill-
side.
Natural disaster Meteorite impact A solid piece of Operational Negative High

debris from outer
space that passes
through the atmos-
phere and causes
a disaster or acci-
dent.
Natural disaster Natural disasters A natural event Operational Negative High

such as a flood,
earthquake, or hur-
ricane that causes
great damage or
loss of life.

Natural disaster Plant pests and dis- Agricultural viruses Operational Negative High
eases and diseases or in-
sects that endan-
ger plant life or ag-
ricultural harvest.
Natural disaster Sandstorm A strong wind car- Operational Negative High

rying clouds of
sand with it, espe-
cially in a desert.
Natural disaster Snowstorm A heavy fall of snow Operational Negative High

with high winds.
Natural disaster Storm A violent atmos- Operational Negative High

pheric event char-
acterized by strong
winds and usually
rain, thunder, light-
ning, or snow.
Natural disaster Thunderstorms A storm with thun- Operational Negative High

der and lightning
and typically also
heavy rain or hail.
Natural disaster Tornado A mobile, destruc- Operational Negative High

tive vortex of vi-
olently rotating
winds having the
appearance of
a funnel-shaped
cloud.
Natural disaster Tropical cyclone Natural disaster Operational Negative High

monitoring pro-
aster Alert and Co-
ordination System
(GDACS)
Natural disaster Tsunami A long, high sea Operational Negative High

wave caused by
an earthquake or
other disturbance.
Natural disaster Volcanic eruptions A sudden, violent Operational Negative High

discharge of steam,
hot lava, volcanic
ash, and gases
from a volcano.

Natural disaster Wild and forest fire An uncontrolled fire Operational Negative High
occurring in wood-
land areas (bush
fire, desert fire,
grass fire, forest
fire), that can also
consume houses or
agricultural resour-
ces.
Open banking Banking as a serv- The implementa- Financial Positive Low

ice tion or use of Bank-
ing as a Service
(BaaS) enables fi-
nancial services on-
demand over the
web and operates
within a set time
frame.
Open banking Open banking The implementa- Financial Positive Low

tion or use of Open
Banking where
banks allow third
parties to access
the internal finan-
cial data through
APIs.
Open banking PSD2 The implementa- Financial Positive Low

tion of, or com-
pliance issues sur-
rounding, the re-
vised Payment
Services Directive
(PSD2).
Open banking White label banking The implementa- Financial Positive Low
tion or use of White
Label Banking ena-
bles banks to im-
plement or use the
products developed
or manufactured by
other suppliers as
their own.
Operational disrup- Branch shutdown A company closes a Operational Negative Medium

branch or location
tion
of operations.

Operational disrup- Business shutdown A company stops Operational Negative Medium

trading or shuts
tion
down a portion of
its operations. For
example, a division,
subsidiary, and so
on.
Operational disrup- Discontinuity Anytime there's a Operational Negative Medium

stoppage in pro-
tion
duction or services,
either temporarily
or permanently.
Operational disrup- Logistics issues Problems relating Operational Negative Medium

to the processes
tion
a business uses
to interface and
interact with ex-
ternal companies,
vendors, custom-
ers, carriers, and so
on.
Operational disrup- Market exit A decision made by Operational Negative Medium

a company to leave
tion
a given market.
Operational disrup- Operating without Any business or Operational Negative Medium

licenses professional oper-
tion
ating or practicing
without a valid li-
cense.
Operational disrup- Shortage A situation in where Operational Negative Medium

something needed
tion
can't be obtained in
sufficient amounts.
Operational disrup- Shut down Any kind of stop- Operational Negative Medium
page or suspen-
tion
sion.
Operational disrup- Stop work order A formal notice is- Operational Negative Medium
sued by a client
tion
or government au-
thority to stop or
halt work.
Operational im- Digital tokenization The development, Operational Positive Low

implementation, or
provement
use of digital toke-
nization.
Operational im- Innovation Innovative practi- Operational Positive Low

ces, initiatives,
provement
projects, or events

Operational im- Modernization A progressive tran- Operational Positive Low

sition of one or
provement
more elements of
an entity's oper-
ations, administra-
tion, or technology.
Operational im- Robotic process The development, Operational Positive Low

automation implementation, or
provement
use of robotic proc-
ess automation
(RPA).
Ownership change Acquisition of an- Any case where a Financial Negative Medium
other company company is acquir-
ing another com-
pany.
Ownership change Acquisitions A company takes Financial Negative Medium

control of another
through the pur-
chase of most or all
of the target com-
pany's shares.
Ownership change Asset sales The sale of assets Financial Negative Medium
by a company to
increase cash flow,
reduce bad debt
risk, and liquidate
assets.
Ownership change Buying selling stake The purchase or Financial Negative Medium
sale of a stake that
affects the owner-
ship of a company.
Ownership change Buying stake The purchase of Financial Negative Medium

a sufficiently large
equity stake in a
company.
Ownership change Buyouts A type of acquis- Financial Negative Medium

ition through the
purchase of a con-
trolling share in a
company.
Ownership change Company and A company takes Financial Negative Medium

share acquisition control of another
through the pur-
chase of most or all
of the target com-
pany's shares.

Ownership change Leveraged buyouts A financial trans- Financial Negative Medium

action where a
company is pur-
chased with a
large amount of
borrowed money.
Ownership change Management buy- A form of ac- Financial Negative Medium

outs quisition where a
company's existing
managers acquire a
large part or all of
the company.
Ownership change Mergers Two existing com- Financial Negative Medium

panies unite to
form one new com-
pany.
Ownership change Mergers and ac- Two existing com- Financial Negative Medium
quisitions panies unite into
one new company,
or one company
gains control of an-
other one by pur-
chasing most or all
of the shares.
Ownership change Ownership changes Any changes to Financial Negative Medium

the ownership
structure of a com-
pany.
Ownership change Potential ownership Any changes to Financial Negative Medium

change the ownership
structure of a com-
pany.
Ownership change Privatizations The transfer of a Financial Negative Medium

business, industry,
or service from
public to private
ownership and con-
trol.
Ownership change Selling stake The selling of a suf- Financial Negative Medium
ficiently large equity
stake in a company.
Ownership change Spinoffs The creation of an Financial Negative Medium

independent com-
pany by selling
shares of the exist-
ing company.

Pandemic 2019 novel corona- An infectious dis- Operational Negative Medium

virus ease caused by Se-
vere Acute Respira-
tory Syndrome Co-
ronavirus 2 (SARS-
CoV-2). The out-
break began in De-
cember 2019 and
was declared a pan-
demic in March
2020, causing sig-
nificant worldwide
health, economic,
and social impacts.
Pandemic Bird flu A severe, often fa- Operational Negative Medium

tal, type of influ-
enza that affects
birds, especially
poultry, and that
can also be trans-
mitted to humans
and lead to epidem-
ics.
Pandemic Cholera An infectious and Operational Negative Medium

often fatal bacterial
disease of the small
intestine.
Pandemic Deadly epidemic in- A fatal infec- Operational Negative Medium

fections tious disease that
spreads rapidly to
many people.
Pandemic Dengue fever A debilitating viral Operational Negative Medium

disease of the trop-
ics, transmitted by
mosquitoes, affect-
ing millions of peo-
ple, and having a
high mortality rate.
Pandemic Ebola An infectious and Operational Negative Medium

generally fatal viral
disease that can
lead to epidemics.
Pandemic MERS A viral respira- Operational Negative Medium

tory illness (Middle
East Respiratory
Syndrome) with a
high mortality rate.

Pandemic Plague A contagious bac- Operational Negative Medium

terial disease char-
acterized by fever
and delirium, with a
fatality rate of 70%
if left untreated.
Pandemic Polio An infectious dis- Operational Negative Medium

ease especially of
young children that
is caused by the
poliovirus. In the
20th century, it
was one of the
most worrisome
childhood diseases
in some areas.
Pandemic SARS An infectious dis- Operational Negative Medium

ease spread from
animals to humans.
In 2002 and 2003,
a SARS outbreak
in southern China
led to 8,098 cases
of the disease and
resulted in 774
deaths in 37 coun-
tries/regions.
Pandemic Smallpox An acute conta- Operational Negative Medium

gious viral disease
that was eradi-
cated through vac-
cination by 1979.
Unprecedented lev-
els of immunosup-
pression in coun-
tries/regions such
as Australia and
the US pose a real
risk of smallpox
re-emerging in the
world.
Pandemic Swine flu A highly pathogenic Operational Negative Medium

and sometimes
deadly form of in-
fluenza that affects
pigs and can lead to
pandemics. It can
also infect humans.

Pandemic Zika fever A disease caused Operational Negative Medium

by a virus trans-
mitted primarily by
Aedes mosquitoes,
that can lead to
epidemics causing
birth defects and
neurological prob-
lems.
Plant disruption Plant disruption Any disruption, Operational Negative Medium

shortage, delay, or
suspension in pro-
duction or opera-
tion.
Plant disruption Plants shutdown Any closure of a Operational Negative Medium

factory or its relo-
cation.
Price increase Price increase The price increase Financial Negative Low
of goods and
services, excluding
stock prices.
Product issue Issue A problem that has Operational Negative Medium

been identified and
put up for debate or
discussion.
Product issue Market negligence Deliberate disre- Operational Negative Medium

gard, or lack of due
care, related to a
product that is on
the market.
Product issue Market withdrawal An instance where Operational Negative Medium

a manufacturer vol-
untarily removes a
product from the
market, typically to
remedy a quality is-
sue.
Product issue Offlabel promotion Any case of off-la- Operational Negative Medium
bel promotion or
inappropriate mar-
keting. For exam-
ple, not comply-
ing with the regula-
tions.

Product issue Product imitation A market position- Operational Negative Medium

ing strategy involv-
ing the introduction
of a product that
emulates or copies
a product already
on the market as
far as it's legally
possible under pat-
ent and trademark
laws.
Product issue Product recalls A request from a Operational Negative Medium

manufacturer to re-
turn a product af-
ter the discovery
of safety issues
or product defects
that might endan-
ger the consumer
or put the manu-
facturer or seller at
risk of legal action.
Product issue Quality issues Any defects, defi- Operational Negative Medium
ciencies, or ques-
tionable variations
in the quality of a
product.
Product issue Supplier problems Any issue that a Operational Negative Medium
company can have
with a supplier.
Product issue Tampering Intentional modifi- Operational Negative Medium

cation of products
in a way that would
make them harmful
to the consumer.
Product issue Vehicle technical An unwanted tech- Operational Negative Medium

failures nical failure related
to a vehicle.
Project issue Project delays Any interruption Operational Negative Medium

keeping a given
project or stage of a
project from being
completed on time.
Project issue Project failure All cases where a Operational Negative Medium
project, agreement,
or contract is re-
fused, rejected, or
canceled.

Public health Dangerous gene A change in genetic Environmental and Negative Low
mutations material (DNA) social
that results in se-
vere negative con-
sequences on the
health of the organ-
ism.
Public health Food poisoning All cases of con- Environmental and Negative Low
taminated or pois- social
oned food.
Regulatory compli- Banned An involvement in Regulatory and le- Negative High

the official prohibi- gal
ance issue
tion of something
by an organization
or authority.
Regulatory compli- Conflict commodi- A high-value re- Regulatory and le- Negative High
ties source taken from gal
ance issue
an area of armed
conflict and traded
illicitly to finance
the fighting or
other illegal opera-
tions.
Regulatory compli- Conflict of interest A situation where Regulatory and le- Negative High
a person or organi- gal
ance issue
zation has multiple
interests, financial
or otherwise, and
serving one interest
could work to the
detriment of the
other.
Regulatory compli- Debarment When a compa- Regulatory and le- Negative High
ny's activities have gal
ance issue
been restricted due
to allegations of
fraud, mismanage-
ment, and similar
improprieties.
Regulatory compli- Dodd Frank Act A United States of Regulatory and le- Negative High
America federal law gal
ance issue
that places regula-
tion of the financial
industry into the
hands of the gov-
ernment.
Regulatory compli- Emerging danger A newly developing Regulatory and le- Negative High
or changing risk gal
ance issue
that could have a
major impact.

Regulatory compli- Fraudulent financial The intentional Regulatory and le- Negative High
reporting misrepresentation gal
ance issue
of a company's fi-
nancial statements
with the intent of
distorting its actual
operating perform-
ance and profitabil-
ity.
Regulatory compli- Hit by An entity is faced Regulatory and le- Negative High
with a new negative gal
ance issue
challenge or situa-
tion.
Regulatory compli- Illegal An act or object Regulatory and le- Negative High
that is forbidden gal
ance issue
by law, especially
criminal law.
Regulatory compli- Industrial espion- The illegal and un- Regulatory and le- Negative High
age ethical theft of gal
ance issue
trade secrets for
use by a competitor
to achieve a com-
petitive advantage.
Regulatory compli- Information leak An unintended loss Regulatory and le- Negative High
of information from gal
ance issue
an organization
usually occuring as
a result of employ-
ees passing infor-
mation to others ei-
ther deliberately or
accidentally.
Regulatory compli- Inspection The act of look- Regulatory and le- Negative High
ing at something gal
ance issue
carefully, or an offi-
cial visit to a build-
ing or organization
to check that ev-
erything is up to
a standard prescri-
bed by a given au-
thority.
Regulatory compli- Investigation The act of for- Regulatory and le- Negative High
mally and system- gal
ance issue
atically inquiring
into something or
someone.

Regulatory compli- Law violation An action that Regulatory and le- Negative High
breaks a law, agree- gal
ance issue
ment, principle,
or something that
should be treated
with respect.
Regulatory compli- Legal actions The process of en- Regulatory and le- Negative High
gaging the legal gal
ance issue
system to settle
an argument or dis-
pute.
Regulatory compli- License withdrawal A governing au- Regulatory and le- Negative High
thority or regula- gal
ance issue
tor withdraws, sus-
pends, revokes, or
refuses to issue a li-
cense. For example,
a bank or commer-
cial license.
Regulatory compli- Money laundering Concealing the Regulatory and le- Negative High
transformation of gal
ance issue
profits from illegal
activities and cor-
ruption into osten-
sibly "legitimate"
assets.
Regulatory compli- Nepotism The practice of fa- Regulatory and le- Negative High
voritism by some- gal
ance issue
one in a position
of power based on
either kinship or
friendship.
Regulatory compli- Regulatory compli- Issues or potential Regulatory and le- Negative High
ance issues violations in a com- gal
ance issue
pany's ability to ad-
here to the laws,
regulations, guide-
lines, and specifica-
tions relevant to its
business. This can
include any and all
violations, infringe-
ments, discrimina-
tions, unethical
practices, or fraud.
Regulatory compli- Reputation risk Any activity that Regulatory and le- Negative High
could lead to gal
ance issue
a damaged reputa-
tion.

Regulatory compli- Sabotage A deliberate action Regulatory and le- Negative High
aimed at destroy- gal
ance issue
ing, damaging, or
obstructing some-
thing.
Regulatory compli- Sanctions viola- Attempts by a com- Regulatory and le- Negative High
tions pany to bypass gal
ance issue
or negate the sanc-
tions imposed on a
country/region by
other countries/re-
gions.
Regulatory compli- Sarbanes Oxley A United States Regulatory and le- Negative High
of America fed- gal
ance issue
eral law that sets
new or expanded
requirements for
all USA public
company boards,
management, and
public accounting
firms.
Regulatory compli- Tax evasion The illegal avoid- Regulatory and le- Negative High
ance of taxes by in- gal
ance issue
dividuals, corpora-
tions, and trusts.
Regulatory compli- Whistleblower A person who in- Regulatory and le- Negative High
forms on a person gal
ance issue
or organization re-
garded as engaging
in an unlawful or
immoral activity.
Regulatory compli- Workplace discrimi- The unfair treat- Regulatory and le- Negative High
nation ment of employees gal
ance issue
based on prejudice
against age, race,
disability, gender,
religion, or sexual
orientation.
Regulatory compli- Workplace safety Any instance show- Regulatory and le- Negative High
negligence ing that a company gal
ance issue
has been negligent
and not provided
due care for the
health and safety of
its workers.

Sanctioned coun- Cuba sanctions An entity has Regulatory and le- Negative High
tries/regions a direct or indi- gal
rect relationship
with the sanctioned
country/region of
Cuba.
Sanctioned coun- Iran sanctions An entity has Regulatory and le- Negative High
rect relationship
with the sanctioned
country/region of
Iran.
Sanctioned coun- North Korean sanc- An entity has Regulatory and le- Negative High
tries/regions tions a direct or indi- gal
rect relationship
with the sanctioned
country/region of
North Korea.
Sanctioned coun- Sanctioned coun- An entity has a di- Regulatory and le- Negative High
tries/regions tries/regions rect or indirect re- gal
lationship with the
listed sanctioned
country/region.
Sanctioned coun- Sudan sanctions An entity has Regulatory and le- Negative High
rect relationship
with the sanctioned
country/region of
Sudan.
Sanctioned coun- Syria sanctions An entity has Regulatory and le- Negative High
rect relationship
with the sanctioned
country/region of
Syria.
Sanctioned coun- Venezuela sanc- An entity has Regulatory and le- Negative High
tries/regions tions a direct or indi- gal
rect relationship
with the sanctioned
country/region of
Venezuela.

Sanctions and Sanctions By Risk Category Regulatory and le- Negative High
gal
watchlists Information API
for Supplier Risk
Exposure: The
API imports ex-
ternal sanction
and watchlist com-
pliance data.
Sanctions and Watchlists By Risk Category Regulatory and le- Negative High
gal
watchlists Information API
for Supplier Risk
Exposure: The
API imports ex-
ternal sanction
and watchlist com-
pliance data.
Senior manage- Senior manage- Changes to the Operational Negative Low

ment changes executive and se-
ment change
nior management
levels of a company
such as appoint-
ments, promotions,
retirements, resig-
nations, and so on.
Transportation is- Air traffic problems Any disruption to Operational Negative Low
air traffic includ-
sue
ing strikes, cancel-
lations, and so on.
Transportation is- Air traffic security Any security re- Operational Negative Low
risk lated risk to air
sue
traffic such as a
ban on flights over
a country/region,
volcanic ash alerts,
bomb threats, and
so on.
Transportation is- Maritime security Hazards including Operational Negative Low

piracy, human traf-
sue
ficking, conflicts,
smuggling, and any
other incidents that
pose a risk to the
freedom or good
order at sea.

Transportation is- Maritime security Any misfortune in- Operational Negative Low
risk volving waterborne
sue
transport including
maritime and in-
land waterway
transport.
Transportation is- Modern piracy The act of board- Operational Negative Low
ing any vessel with
sue
intent to commit
theft or any other
crime.
Transportation is- Transportation de- Any unscheduled Operational Negative Low

lays interruption in the
sue
transport of goods
or people resulting
in delays.
Related Information

Configuring Risk Incident Severity Levels and Email Notifications [page 91]
Step-by-Step Workflow for Managing Supplier Risk

This workflow describes some common, general steps for managing supplier risk, along with configuration
prerequisites for following those steps.
These steps use findings to address risks raised in engagements. Depending on your site's configuration, you use
either findings or issue management projects to accomplish this task. Findings can include collaboration with both
the supplier and internal team members, while issues are always internal.

• #unique_8/unique_8_Connect_42_1 [page 70]
Step Description More Information Configuration Prerequisites
1. Add suppliers. Suppliers are added to your • Supplier data import: • Supplier requests: Sup-
site in one of the following Supplier Risk Data Import plier Request Project
ways: • Internal Supplier Re- Setup
• An administrator imports
quests • ERP integration: Prereq-
supplier data to add sup- uisites and Restrictions
pliers to your site. and Configuring Supplier
Data Integration in Your
• Suppliers are added to
SAP Ariba Site
your site through syn-
chronization with an inte-
grated ERP system.
• If your organization man-
ages suppliers using SAP
Ariba Supplier Lifecycle
and Performance or SAP
Ariba Supplier Informa-
tion and Performance
Management (new archi-
tecture), requesters can
add suppliers to your site
manually using supplier
requests, as part of the
supplier creation and on-
boarding process.

2. Analyze abstract risk. Use third-party data and ab- Topics About Monitoring Over- • Default providers: Setting
all Risk and Managing Alerts
stract risk analysis tools to as- the Data Sources Used
[page 77]
sess the risk exposure of your in Risk Exposure Calcula-
suppliers. You can obtain this tions
data in the following ways: • Additional licensed pro-
viders: Registering a
• Default providers in SAP
Third-Party Provider Li-
Ariba Supplier Risk.
cense
• Additional licensed pro-
viders in SAP Ariba Sup-
• Import of custom field
and compliance data:
plier Risk.
Risk Category Informa-
• Risk Category Informa-
tion API for Supplier Risk
tion API for Supplier Risk
Exposure
Exposure
3. Review risk exposure. Use the Supplier Risk dash- Supplier Risk Dashboard Topics About Configuring Risk
board to identify suppliers [page 77] Exposure
with a high risk exposure.
4. Identify high-risk suppliers. Details in suppliers' profiles Risk Exposure Information in

can give you more insight into a Supplier’s 360° Profile [page
their sources and areas of risk. 96]
5. (Optional) Address a con- Create general findings to Creating a Finding [page 303] Setting Up Your Site to Allow
crete risk without an engage- explore detected risks with- Users to Create and Manage
ment request. out requesting an engagement Findings
with the supplier, and formu-
late a response.
6. Request engagements with Create engagement requests Requesting a New Engage- Setting Up Engagement Risk
selected suppliers to identify to identify inherent and resid- ment and Starting a Control-
Assessment Projects
and mitigate risks. ual risks and the applicable Based Risk Assessment [page
risk controls, and to collect in- 140] Use engagement attribute
formation on whether the con- mappings, engagement con-
trols are effective.
trol mappings, and risk con-
trol definitions to include
the standard human rights
self-assessment questionnaire
(SAQ) as an engagement as-
sessment Understanding the
Components of the Control-
Based Risk Assessment Proc-
ess

7. Obtain additional informa- Use the following options to • Standard human rights • Import of self-assess-
tion from suppliers.
get specific risk-related infor- self-assessment ques- ment questionnaire: Set-
mation from the suppliers as tionnaire (SAQ): Supplier ting Up a Modular Ques-
part of the engagements: Self-Assessments tionnaire to Import Sup-
• Ask them to fill out

• Other assessment ques- plier Responses from
tionnaires: the Human Rights As-
a standard human
sessment on SAP Busi-
rights self-assessment • Sending Assessment
ness Network
questionnaire (SAQ) on Questionnaires for
SAP Business Network. a Control-Based En- • Other assessment ques-
gagement Risk As- tionnaires: About Modu-
The supplier's responses
sessment Project lar Supplier Management
can be imported into
(Simple Workflow) Questionnaires in Con-
an assessment question-
[page 177] trol-Based Engagement
naire. There's no auto-
Risk Assessment Projects
matic invitation for this • Sending Assessment
questionnaire. Questionnaires for • Import from external
sources: Setting Up a
• Send them your own as- a Control-Based En-
gagement Risk As- Modular Questionnaire
sessment questionnaires
sessment Project to Import Supplier Re-
for the engagement.
(Advanced Work- sponses from an External
There are automatic in-
flow) [page 180] System
vitations for these ques-
tionnaires.
• Incorporate information
from external sources
into assessment ques-
tionnaires in the engage-
ment.
Suppliers must have SAP

Business Network accounts to
fill out the SAQ and external
assessment questionnaires.
8. Address concrete risks. When you've identified a con- Creating a Finding [page 303] Setting Up Your Site to Allow
crete risk, address it by creat- Users to Create and Manage
ing a finding that's associated Findings
with the engagement request
or one of its risk controls.
9. Collaborate on findings. Work together with internal Setting Up Your Site to Allow
• Working with Findings
and external parties to analyze Users to Create and Manage
the finding and formulate a re- • Managing Team Members Findings
sponse.

10. Review supplier residual When an engagement request • About Residual Risk • About Engagement-Level
risk scores.
is finally approved, it gener- for Control-Based En- Residual Risk
ates a residual risk rating. gagement Risk Assess- • Configuring Residual Risk
ments [page 136] Calculations by Risk Do-
Finding results are used in re-
sidual risk calculations if your
• Engagement Risk Infor- main
mation in a Supplier’s
site is configured to include
360° Profile [page 106]
them.
The method used to calculate

residual risk determines the
effects of a finding on the rat-
ing:
• Residual risk without risk

domains: Findings at en-
gagement or control level
can influence the residual
risk rating of an engage-
ment.
• Residual risk based on
risk domains: Only find-
ings at control level influ-
ence the engagement's
residual risk rating.
11. Review risk exposure for If your site calculates residual N/A Including residual risk ratings
the suppliers. in risk exposure requires map-
risk by risk domain, completed
ping between risk domains
engagement requests contrib-
and risk categories: Mapping
ute to the supplier's risk expo- Engagement Risk Domains for
sure. Risk Exposure
Only findings at the control

level influence a supplier's risk
exposure. Findings at the en-
gagement level don't.
If your site doesn't calculate

residual risk by risk domain,
risk exposure and residual risk
rating are separate pieces of
data.

12. Periodically monitor and Use periodic reviews to keep • How to Process a Periodic • Adding Periodic and Ad
review.
tabs on engagement risk and or Ad Hoc Review for an Hoc Review to the En-
controls. Engagement [page 250] gagement Workflow
In the Action Queue, the

• Viewing and Managing • Setting Up Control Re-
Risk Controls Using the view Workflow
Control review expiration
Control Details Page
and Engagement request
[page 208]
periodic review actions alert
the appropriate people when
these tasks are due.
13. Use risk exposure in pro- Supplier risk exposure can be • Guided buying: Mitigating Use the Risk Exposure API to
curement processes. add risk exposure information
included in: Risk for Non-Catalog Pur-
in SAP S/4HANA: Risk Expo-
chases .
• Buying activities in sure API
guided buying.
• Guided sourcing: Viewing
Supplier Risk Information
• Sourcing activities in
from the Event Monitor-
guided sourcing.
ing Page
• Relevant processes in
SAP S/4HANA.
14. Run regular reports. Use reports and data exports • Exporting Data and Run- For analytical reporting: Creat-
available in SAP Ariba Supplier ning Reports on Supplier ing Analytical Reports
Risk to analyze and drill down Risk and Related Activi-
For APIs: SAP Ariba APIs
into supplier risk. ties [page 307]
Client applications can also

• Engagement Risk Infor-
mation in a Supplier’s
use SAP Ariba APIs to extract
360° Profile [page 106]
risk data from your site for
use offline and in other appli-
cations.
The engagement request area

of the supplier 360 profile,
which you can access by click-
ing in the Overall supplier risk
panel, also includes an export
option. This option exports a
list of the supplier's engage-
ment requests, controls, and
issues to a Microsoft Excel file.

Accessibility in SAP Ariba Supplier Risk
The SAP Ariba Supplier Risk user interface has accessibility features to enable people with special needs to access
content and perform various tasks.
SAP Ariba has enhanced the accessibility of SAP Ariba Supplier Risk with the goal of eventually reaching adherence
with the Web Content Accessibility Guidelines (WCAG). The accessibility features include keyboard shortcuts,
screen reader functionality, color contrast, and tooltips.
These accessibility enhancements, include the following changes:
• User interface elements are accurately labeled to ensure the users know what information can be entered in
the fields.
• User interface pages have titles that describe the purpose of the page/topic, helping the users to navigate
through the application.
• Tooltips are available for the user interface elements such as icons and graphics.
• Page elements now meet minimum contrast settings, which help users with disabilities see different page
sections and controls more clearly.
• Screen readers can now recognize and read more information for user interface elements.
• You can choose Show results or Close results to see and close the search results when searching and
selecting regions, commodity, or department.
Screen Readers
SAP Ariba supports the following screen reader programs:
• JAWS from Freedom Scientific Inc.

• VoiceOver from Apple Inc.
 Note
Other screen reader programs can work but aren't officially tested by SAP Ariba.
Pages
SAP Ariba continues to enhance the accessibility of SAP Ariba Supplier Risk with the goal of eventually reaching
adherence with the Web Content Accessibility Guidelines (WCAG).
Accessibility features are available on the following pages:
• Supplier Risk dashboard

• The create engagement requests pages
• Supplier risk administration pages

Accessibility in SAP Ariba Supplier Risk PUBLIC 75
• Alert list
• Suppliers evaluated
• Engagement detail pages
• Risk summary
• Risk exposure pop-up windows
• Create Engagement Request
• Actions list page
• Controls list page
• Supplier Search with the active suppliers list
Keyboard Shortcuts
You can use the following keyboard shortcuts to navigate some of the user interface.
Keyboard Shortcuts Purpose
General Shortcuts
Tab To navigate to the next user interface element on the page.
Shift + Tab To navigate to the previous user interface element on the page.
Date Picker Shortcuts
Up arrow Moves the focus to the same day of the week but for the previ-
ous week.
For date pickers in engagement projects, use the Tab .
Down arrow Moves the focus to the same day of the week but for the next
week.
For date pickers in engagement projects, use the Tab .
Tab
Left arrow Moves the focus to the previous day.
Right arrow Moves the focus to the next day.
Space bar or Enter Opens the date picker and selects the date.
Esc Closes the date picker.

76 PUBLIC Accessibility in SAP Ariba Supplier Risk
Topics About Monitoring Overall Risk and
Managing Alerts
Natural Disaster Monitoring [page 82]
Filtering the Alert List [page 85]
Archiving Risk Alerts [page 86]
Sharing Risk Alerts [page 87]
Flagging and Sorting Risk Alerts [page 88]
Reporting One or More Adverse Media Risk Incidents for Feedback [page 89]
Managing Subscriptions to Risk Alerts for Specific Suppliers [page 90]
Setting Up Email Notifications for Positive Incident Types [page 92]
Supplier Risk Dashboard

The Supplier Risk dashboard shows risk information for all of the suppliers you're following, with links to more
detailed information. It also shows risk assessment project information for all suppliers.
The Supplier Risk dashboard provides a high-level view of risk levels for your followed suppliers, to give you an
overall picture of the risk profile of your supplier base. You can use it as a starting point to identify and focus on
trends and recent activities of interest or concern. It includes several components:
• A Search bar, where you can search for all of your company's suppliers that have been added to SAP Ariba
Supplier Risk, whether or not you’re currently following (getting alerts for) them. In the search results, a green
check mark ( ) under the Follow column means you're following (getting alerts for) that supplier. A red X
( ) means you aren't following (getting alerts for) that supplier. You can check the box to follow or unfollow a
supplier. By default, the suppliers listed here are active in SAP Ariba Supplier Management solutions. You can
filter this list to show inactive suppliers by selecting Inactive suppliers from the dropdown list labeled Active
suppliers. This displays inactive suppliers in the list and changes the dropdown label to Inactive suppliers.
• An Actions tile, visible if the action queue [page 124] feature is enabled in your site and if you have open
approvals, To Do tasks, or other actions for engagement projects that you're assigned to either as an individual
or as a member of a project group. Clicking on the Actions tile opens the action queue.
• A Controls tile, visible in sites in which the Action queue and periodic review of risk controls features are
enabled, shows the number of controls for which you belong to the decision maker group. Clicking on the
Controls tile takes you to the Controls list page [page 206], where you can see the expiration date, status, and
other information about each control. From there, you can open a control and work with it using the Control
details page [page 208].

Topics About Monitoring Overall Risk and Managing Alerts PUBLIC 77
• An Engagement Requests tile, which opens a page showing engagement requests and associated risk
assessments in risk assessment projects. This tile and page are only visible if your company uses these
projects and if you have permission to work with them. Depending on your permissions and your assigned roles
in individual risk assessment projects, you can either view or manage them [page 312] from this tile.
• A Findings tile [page 305], visible in sites set up to allow users to create findings rather than issues. This tile
shows the number of findings for which you are the creator or for which you have an assigned role.
• An Issues tile, which opens a page showing issues associated with engagement risk assessment projects at
either the engagement or assessment level. This tile and page are only visible if your company uses these
projects and if you have permission to work with them. You can view or manage [page 196] the issues you
created, are assigned, or have permission to edit from this link.
• A Suppliers evaluated tile, which opens a page listing active suppliers that have undergone risk evaluation.
The Suppliers evaluated page also includes a Suppliers available for risk evaluation tab, which displays a
table listing active suppliers that have met the minimum requirements to be eligible for risk evaluation but
haven't yet been submitted. The list can be filtered in the following ways:
• A dropdown list allows you to filter based on risk type. For example, if you filter by Financial, the list
includes all suppliers eligible for risk evaluation by the financial provider you have licensed, if any. The
default value in the dropdown is All risk types.
• In the table, you can click the Supplier column header to filter based on supplier names.
• Click the Export button to generate a spreadsheet listing the displayed supplier data.
You can submit suppliers for risk evaluation [page 94] from the Suppliers available for risk evaluation page.
• A Risk summary tile with a graph that shows the risk levels of your followed suppliers visually as a donut graph,
color-coded by risk level. Click a colored section of the donut to see a list of suppliers with the selected level of
risk. You can use the toggle controls to show or hide each risk level on the graph. For example, if most of your
suppliers are low risk, the sections of graph for the other levels might be small and hard to click. You can toggle
the low level off to hide it and make the other levels easier to see and click.
• A By risk category tile with a bar graph that shows risk exposure levels (high, medium, low) for your followed
suppliers by risk category. Hover over each risk category bar to see the number of your followed suppliers with
risk incidents at each risk exposure level in that category. Click on a risk category bar to open a popup that
shows the supplier's company name, risk exposure, the number of risk incidents for the supplier in that risk
category, and the risk exposure level.
• An Alert feed tile that shows your latest alerts. Click Go to alerts to see your full alert list [page 80].
• An interactive map, showing followed active suppliers, with these dropdown filters:
 Note
The map and list of suppliers are collapsed by default. To expand the map, click the  right-facing arrow
icon next to Show map on the dashboard.
 Note
The interactive map on the Supplier Risk dashboard shows city names in different languages if you follow
suppliers from different regions. The languages come from the third-party provider, not your locale setting.
• A dropdown that allows you to specify one or more industries to display on the map. In addition to filtering
the map by industry, this dropdown also indicates the number of suppliers you have in each industry.
Industries in this list include industry name and NAICS code. If you select more than one industry, all
selected industries are reflected on the map. The number appearing in the dropdown label indicates how
many industries are selected. For example, if you select three industries in the dropdown, the dropdown
label changes to Industry (3).

78 PUBLIC Topics About Monitoring Overall Risk and Managing Alerts
• A dropdown that allows you to filter the map based on risk level. Only suppliers with the specified risk level
are displayed.
Risk levels are color coded as follows:
Color Description
White The country/region contains no relevant suppliers
Gray Risk is present in the country/region, but the level of risk is negligible
Blue Low risk
Yellow Medium risk
Red High risk
Color coding of map regions reflects the filters applied to the map. If the dropdown displays All risk types, the
color coding indicates exposure based on all risk types.
 Note
If the parameter to remove WEF country/region risk [page 391] has been enabled, the map shows the
number of your active suppliers in each country/region instead of the country/region risk levels.
When you click Apply the map displays the number of suppliers in the selected industry with the specified risk
level that are present in each country/region, based on what you selected in the dropdowns.
You can click on the map to zoom in, allowing you to view more specific geographical areas. At the most
specific levels, rather than displaying a number of suppliers, the map displays a pin for each supplier. Pins are
color coded to indicate risk level using the same color scheme as the map.
Clicking a supplier's pin on the map opens a popup describing that supplier. This popup includes the name and
location information for the supplier, potential risk exposure, and a link to the supplier 360° profile page.
• A supplier table located directly beneath the interactive map. This table lists information about the active
suppliers currently displayed on the map.
 Note
Thisn't table is the same as the supplier search table that displays search results when you use the Search
bar. The supplier Search results displayed from the Search bar aren't tied to the interactive map.
The table under the interactive map includes each supplier's company name, location, the risk exposure for the
country/region, and the supplier's potential risk exposure, a supplier-specific risk exposure for the specified
industry. All columns can be filtered, and by default the table is organized according to risk exposure. If you
wish to submit one or more displayed suppliers for risk evaluation, you can check their checkboxes in the
Select column and then click Submit for risk evaluation at the foot of the table.
 Note
You can also submit suppliers for risk evaluation from the supplier search page.
 Note
The supplier's country/region rankings won't be in the columns under the map if the parameter to remove
WEF country/region risk [page 391] has been enabled.

You can click a supplier's name anywhere on the Supplier Risk dashboard to open the supplier's 360° profile and
see detailed risk information for that supplier. The supplier information includes alert trends and the factors that
contribute to the supplier's risk exposure, as well as enriched corporate information for the suppliers that have
been enriched with corporate profile data. The supplier search results include an Enriched column, which shows
a green check mark ( ) for suppliers with enriched corporate profile data and a red X ( ) for suppliers with no
enriched corporate profile data.
 Note
Enriched corporate information is only available in the full SAP Ariba Supplier Risk solution.
In supplier search results, the supplier table below the interactive map, and the tiles of the Engagement Requests
area, you can perform the following actions:
• Sort the current list clicking the column name.

• Filter the current list by clicking the filter icon ( ) in the column header and choosing one or more values.
• Export the current list to a Microsoft Excel file by clicking the Export link.
In the supplier search results and the table below the interactive map, you can submit suppliers for risk evaluation
by checking their Select checkboxes and then clicking Submit for risk evaluation.
Related Information

Custom Data in a Supplier’s 360° Profile [page 107]
Alert Monitoring Using the Alert List

The alert list displays all of the unarchived alerts for incident types and suppliers that you follow.
 Note
The full list of languages in which adverse media articles are presented:
• Chinese (simplified)
• English
• French
• German
• Italian
• Korean
• Portuguese

• Russian
• Spanish
 Note
Risk incidents from adverse media monitoring are maintained until they are 2 years old.
In order to see alerts for a supplier in the alert list, you must follow the supplier [page 90].
To access the alert list, click the Go to alerts link in the Alert feed tile on the Supplier Risk dashboard.
The alert list shows summary information, and allows you to open detailed information for each alert. You can filter
the list by supplier, severity, incident type, date range, location, and other criteria [page 85].
 Note
the information may contain errors and is provided to help with further research.
Alert Summaries
Alert summaries include the incident type, severity, risk category, the supplier's company name, location
information, an indicator for whether or not you've flagged the alert, the date of the last alert included in the
summary (Last update), whether the incident is positive or negative, and the number of alerts represented by the
summary (Count).
If a supplier has alerts for more than 1 incident type, those alerts are listed in separate lines on the list. You can see
all of a supplier's alerts by sorting the list by company name [page 88], or by filtering the list by company [page
85].
Incidents in the alert list are collapsed by default. You can expand an incident to see details about relevant articles
by clicking the right-facing arrow icon in the Details column for the desired incident. To collapse an expanded
incident, click its down-facing arrow icon in the Details column.
The Count column, and the Risk summary in the Details on the alert list include the number of times the incident
type is indicated for the current supplier. These could all refer to the same incident, or they could refer to multiple
incidents of the same type.
Alert Details
You view details of all of the alerts in an alert summary by clicking the right facing arrow  under the Details
column.

The Details include the articles from the Count column, the article date, the sub-incident within the incident type,
source of the article, language of the article, and a column that shows if feedback was reported.
If a new alert with the same incident type appears within 7 days of the most recent previous alert for a supplier, it's
added to the current alert summary. If more than 7 days go by and a new alert of the same incident type appears,
it's added to a new alert summary.
Related Information

Natural Disaster Monitoring

Natural disaster monitoring of earthquakes, floods, and tropical cyclones is provided by the Global Disaster
Alert and Coordination System (GDACS). GDACS is a default provider included for all SAP Ariba Supplier Risk
customers.
GDACS monitors 24 hours a day, 7 days a week.
SAP Ariba Supplier Risk monitors GDACS and sends alerts for natural disasters based on the event (earthquake,
flood, tropical cyclone), the location of the event, and the severity of the event.
While monitoring GDACS, SAP Ariba Supplier Risk identifies the impacted suppliers using geolocation. For
earthquakes, alerts are sent for any suppliers within 100 kilometers of the natural disaster. For floods and tropical
cyclones, a formula is used that involves the supplier's address and the event location.
GDACS natural disaster alerts appear in the Alert feed tile on the Supplier Risk dashboard and the alert list.
An email notification is sent at the time of the event to users following any impacted suppliers.
 Tip
Adverse media monitoring is provided by default provider Semantic Visions, not GDACS.
Adverse media identifies risk incidents based on supplier activity reported in the news, not the geographic
location of the supplier.
Wild and forest fires are an example of a natural disaster event from adverse media monitoring, not GDACS.
If there's news from adverse media about a fire in a country/region and a supplier is mentioned in the article
related to the news, any user following that supplier receives an alert and/or an email notification in the 4:00
a.m. EST daily email notification.
For a detailed listing of the adverse media natural disaster incidents provided by Semantic Visions, filter the
risk alert incident types table [page 12] using the natural disaster incident type. The descriptions for the

natural disaster sub-incident types say if they're from GDACS. If the description doesn't mention GDACS, it's an
adverse media natural disaster.
Adverse media natural disaster alerts from Semantic Visions appear in the Alert feed tile on the Supplier Risk
dashboard and the alert list.
Adverse media uses the incident model for risk exposure calculation.
Adverse media incidents are contributing factors to all risk categories.
The natural disaster alerts from adverse media can be configured [page 91] like other adverse media incident
types.
Semantic Visions uses the address of the supplier that was provided when the supplier was imported into the
SAP Ariba Supplier Risk system. For enriched suppliers, adverse media uses the enriched legal name and the
Tradestyle names.
 Note
Risk Exposure
Natural disasters from GDACS contribute to the supplier model for risk exposure calculation.
Natural disasters from GDACS are set as a contributing factor to risk exposure by default.
A Supplier Risk Manager user can choose to make GDACS natural disasters be a non-contributing factor to risk
exposure by removing the check mark for Natural disasters on the Data sources tab of the configuration editor.
For more information about the configuration editor, see Risk Exposure Configuration Interface.
If you make the GDACS events a non-contributing factor to risk exposure, the monitoring of natural disaster events
by GDACS will still continue. Users following suppliers who are affected by earthquakes, floods, or tropical cyclones
will continue to receive alerts in the Alert feed on the Supplier Risk dashboard, in the alert list, and by email
notification.
Natural disasters from GDACS are contributing factors to the operational category.
If the natural disaster alert impacts the supplier’s risk exposure, it appears in the supplier’s 360° profile on the Risk
exposure tab in the operational risk category.
GDACS natural disasters have a preset weight setting for the risk exposure. You can't change the weight setting.
The severity setting for GDACS alerts is provided by GDACS based on the severity of the natural disaster. You can’t
change the severity setting for GDACS alerts.
Table 2: GDACS Natural Disasters

Severity Setting Time Since the Last Alert Risk Exposure
High (red) Less than 15 days ago High
Medium (orange) Less than 7 days ago Medium
Low (green) Less than 2 days ago Low

The severity setting (high, medium, low) is the contributing factor. The risk exposure is determined by the severity
and the time since the alert from GDACS. For example, if a supplier has a red event less than 15 days ago, the risk
exposure for the event is high in the operational risk category and is a high risk.
If a disaster keeps generating more alerts after the event, the system looks back on all of the alerts generated (reds
less than 15 days, oranges less than 7 days, and greens less than 2 days) and uses the highest severity of the alerts
for the risk exposure.
If a disaster lasts 2 weeks, for example a hurricane, you'll receive red alerts daily. Since the event is less than 15
days, the risk exposure never changes. The risk exposure will lower if the event falls outside of the time frame and
the severity in the table. If the red event still exists after 13 days and the disaster changes from red to orange, the
status will still be red because the highest exposure is used. As soon as the red alert is more than 15 days, the event
will be orange, if no other red events happen for the hurricane between the 13 and 15 days.
SAP Ariba Supplier Risk counts the number of eligible red, orange, and green severities by event type (earthquake,
flood, tropical cyclone). If a red, orange, or green event takes place in the time frame listed in the table above, it
counts towards the risk exposure as a single event. For example, if the supplier had a red event take place 10 days
ago, it counts as 1 event. If the supplier had an orange event take place 5 days ago, it counts as 1 event. If the
supplier had a green event 5 days ago, it doesn’t count as an event because it was more than 2 days ago. For that
supplier, the GDACS contribution would be 1+1+0 = 2 events. The event type (earthquake, flood, tropical cyclone)
doesn't affect the risk exposure, only the severity setting of red, orange, and green.
Notifications
Disaster alert notifications are sent within minutes of a natural disaster involving flood, earthquake, or tropical
cyclone, to users following suppliers in the affected country/region. These notifications are automatically sent and
users can’t choose to stop receiving them.
 Note
Alert notifications aren't sent for low severity (green) natural disasters.
Alert notifications are based on the address of the supplier that was provided when the supplier was imported into
the SAP Ariba Supplier Risk system. The address must be their physical address for geolocation monitoring. Don’t
use a remit to address or a post office box address as it won’t provide accurate natural disaster information for the
supplier and the impact on the supply chain.
For enriched suppliers, the notifications are based on the address the supplier is enriched to for natural disaster
monitoring. For more information, see Imported Supplier Data and Risk Corporate Enrichment.
 Note

Filtering the Alert List
Use these steps to filter the alert list by supplier, severity, incident type, date range, location, and other criteria.
Prerequisites
Context
The default filters on the alert list show all alerts updated in the last three months.
Procedure
1. On the Alerts tab, above the alert list, click  Filters.
The area expands to show search filters for the alert list.
2. Choose or enter filter values.
3. Click Search.
Results
The alert list now only shows the alerts that match your filter values. To restore the list to the default filters, click
Reset.
Related Information


Archiving Risk Alerts
Use these steps to move an alert from the Alerts list to the Archived alerts area.
Prerequisites
Context
When you've finished dealing with an alert, you can archive it so that it's no longer taking up space on your alert list.
Archiving an alert doesn't remove it from the supplier's risk exposure calculation.
 Note
Risk alerts less than 60 days old are used in the supplier's risk exposure calculation. It doesn't matter if they're
in the alert list or the archive list. Once the alert is 60 days old, it's no longer included in the supplier's risk
exposure calculation.
Procedure
1. On the alert list, check the alerts that you want to archive.
2. Click Archive.
Results
The alert moves to the Archived alerts tab. To move archived alerts back to the alert list, in the Archived alerts
area, select them and click Unarchive.
Related Information


Sharing Risk Alerts
Use these steps to share risk alerts with others by generating an email with links to selected alerts.
Prerequisites
Context
You share alerts at the summary level. For example, if an alert includes 5 alert details, the email you generate
includes all 5 of those links.
The email message that is automatically generated when you share alerts includes a default subject line, "<Your
user name> has shared following alert/s with you." You can edit this subject. You can also add comments, which
appear in the body of the email, above the alert links.
Procedure
1. On the alert list, check one or more alert summary lines.

2. Click Share.
3. Enter one or more valid email addresses for people you want to share the alert with, separated by commas.
4. (Optional) Edit the email subject line.
5. (Optional) Add comments.
6. Click Share.
Related Information


Flagging and Sorting Risk Alerts
Use these steps to flag alerts that require special attention, and sort the alert list by any column, including flagged
alerts.
Prerequisites
Context
You flag alerts at the summary level. By default, alerts aren't flagged, and the flag icon ( ) to their left is black. If
the alert is flagged, the flag icon is red.
Procedure
1. On the alert list, perform one of the following actions to manage alert flags.
• Flag an unflagged alert by clicking its black flag icon ( ).

• Unflag a flagged alert by clicking its red flag icon ( ).
2. Sort the icon list based on the values in a column by clicking the column heading.
Related Information


Reporting One or More Adverse Media Risk Incidents
for Feedback
Use these steps to report risk incidents for feedback.
Context
You can enter and report feedback for a specific risk incident (such as an adverse media incident that appears to be
questionable). Eligible incidents include all categories except Natural disaster. This feedback is then submitted to
the associated content provider(s) to influence how they capture/classify their risk events. Incidents reported for
feedback are marked with a green check mark, visible to users in your realm.
 Note
Feedback that was reported to the Adverse media feedback center is removed when it's 2 years old.
You can report feedback from any of the following incident lists:
• The alerts list reached by clicking Go to alerts

• The Risk incidents tab in the supplier 360° profile
Natural disaster incidents can't be submitted for feedback or made inactive. These incidents won't have a
selection checkbox.
Follow these steps to report feedback for one or more adverse media risk incidents.
Procedure
1. Navigate to an alerts list on the alert page or the supplier 360° profile Risk incidents tab.
2. Click the checkbox for any incidents you want to report for feedback.
3. Click Report feedback.
4. In the dialog, you can choose a reason for your feedback by clicking its checkbox. You can also enter a short
text comment. When you're finished entering your reasons, click Confirm.
Results
Incidents that you submit for feedback are marked in your alerts list with a green check mark, and they appear on
the Adverse media feedback center.

Related Information
Setting Risk Incidents Submitted for Adverse Media Feedback to Inactive
Managing Subscriptions to Risk Alerts for Specific

Suppliers
Use these steps to manage your alert subscriptions by following or unfollowing alerts for specific active suppliers
by incident type. If you follow a supplier by checking it in the search results, you're automatically subscribed to all
alerts for the supplier; you can adjust those settings by managing your subscription.
Context
For each desired active supplier, a blue feed icon ( ) indicates that you're subscribed to risk alerts for the selected
incident type. A dark gray feed icon ( ) indicates that you're not.
You begin receiving alerts 24–48 hours from the date you start following a supplier.
Procedure
1. On the Supplier Risk dashboard, click the gear icon ( ) in the upper right, and then choose Customize
supplier alerts in the navigation area on the left.
2. In the incident type table, click an incident type.
3. Perform one of the following actions:
• To start getting alerts for the selected incident type for a supplier, check the box to the left of a supplier
with a dark gray feed icon ( ).
• To start getting alerts for the selected incident type for all listed suppliers, check the box in the column
header.
• To stop getting alerts for the selected incident type for an individual supplier, uncheck the box to the left of
a supplier with a blue feed icon ( ).
• To stop getting alerts for the selected incident type for all listed suppliers, uncheck the box in the column
header.
4. Click either Follow or Unfollow at the bottom of the page.
5. Click either Follow or Unfollow in the Confirm Update popup depending on the choice you made in the
previous step. You can also choose Cancel.

Related Information

Configuring Risk Incident Severity Levels and Email

Notifications
Use these steps to customize the severity level (High, Medium, or Low) for each risk incident type, or you can
choose to ignore the incident type. You can also choose to receive email notifications for the alerts.
Context
Each incident type has a default severity level [page 12], and email notifications are enabled for High and Medium
incident types by default.
Low severity settings aren’t included in alert email notifications.
Risk data providers don't set severity settings.
Alert severity settings don't influence risk exposure.
The severity settings provide alerts based on the specific setting of High, Medium, or Low. You'll only see the alerts
based on your alert settings.
Ignoring alerts for an incident type means that no alerts for this incident type appear on the Supplier Risk
dashboard or the alert list. They are in the Risk incidents in the supplier 360° profiles. If you want to see alerts
for an incident type for some suppliers but not others, you can also manage subscriptions to alerts for specific
suppliers [page 90].
If you change the alert severity settings, you see the alerts starting from the change date and going forward. Any
alert that was identified using the previous setting is still displayed at the alert severity setting that was configured
at the time the alert was reported. For example, if you receive incident alerts using a low severity setting and then
you change the severity to medium, you see both the low (previously reported) alerts and the new (as of the date of
change and going forward) medium alerts in the list of alerts. This is the only situation where you may see alerts for
the same supplier with different severity settings displayed in the user interface.
Procedure
1. On the Supplier Risk dashboard, click the gear icon ( ) in the upper right, then choose Configure alerts from
the navigation area on the left.

• To continue seeing alerts for an incident type, but adjust their severity level, choose High, Medium, or Low.
• To stop seeing alerts for an incident type, choose Ignore.
• To start or stop receiving email notifications for alerts about an incident type, check or uncheck Receive
email.
 Note
Low severity alerts are not included in email notifications, but you can see them by clicking Go to alerts
in the Alert feed tile on the Supplier Risk dashboard.
Users automatically receive one daily email notification at 4:00 a.m. EST that summarizes the adverse
media alerts, licensed third-party provider evaluation updates, failure updates for third-party provider
Dun & Bradstreet licenses, and supplier compliance updates from the Risk Category Information API
for Supplier Risk Exposure, for suppliers they follow.
Related Information

Setting Up Email Notifications for Positive Incident

Types
Use these steps to set up email notifications for positive incident types. By default, SAP Ariba Supplier Risk doesn't
provide email notifications for positive incident types.
Context
To receive email notifications for a positive incident type, follow these steps:
Procedure
1. On the Supplier Risk dashboard, click the gear icon ( ) in the upper right, then choose Configure alerts from
the navigation area on the left.

2. The Type column in the incident types list identifies each alert row as positive or negative. To receive email
notifications for a positive incident type, find its row in the table, and check Receive email.
 Note
• If the Receive email checkbox has previously been unchecked for one or more negative incident types,
you can turn email notifications back on by checking Receive email.
• Email notifications aren't sent for Low severity incident types. To receive email notifications for the
incident type, set its severity level to High or Medium by following the instructions in Configuring Risk
Incident Severity Levels and Email Notifications [page 91].
• Uncheck Receive email to turn off email notifications for an incident type.
• Incident types with an Ignore severity level aren't listed on theSupplier Risk dashboard or the alert
list, but they are in the Risk incidents in the supplier 360° profile. Check Receive email if you want to
receive email notifications for an incident type with an Ignore severity level.
Results
Users automatically receive one daily email notification at 4:00 a.m. EST that summarizes the adverse media
alerts, licensed third-party provider evaluation updates, failure updates for third-party provider Dun & Bradstreet
licenses, and supplier compliance updates from the Risk Category Information API for Supplier Risk Exposure, for
suppliers they follow.

Topics About Monitoring Risk for Individual
Suppliers
Submitting Suppliers to a Provider for Risk Evaluation [page 94]
Financial Information in a Supplier's 360° Profile [page 100]
Regulatory and Legal Information in a Supplier’s 360° Profile [page 104]
Custom Data in a Supplier’s 360° Profile [page 107]
Exporting a Supplier's 360° Risk Profile as a PDF [page 108]
Supplier Status Active Versus Inactive [page 109]
Submitting Suppliers to a Provider for Risk

Evaluation
Use these steps to request that a provider evaluate the risk level of one or more active suppliers.
Prerequisites
• The third-party provider must successfully complete the SAP Ariba certified partner program.
• Only active suppliers that aren't blocked for monitoring can be submitted for risk evaluation.
• Before you can submit a supplier to a provider for risk analysis, you must first obtain a license with that
provider and enter your licensing credentials in the SAP Ariba Supplier Risk self-licensing interface. View
Registering a Third-Party Provider License.
• Some providers might have additional requirements that must be completed on the supplier 360° profile
before risk evaluation can be requested. For example, a provider might require an external ID. The external ID
can be obtained from the provider. A user in the Supplier Risk Manager group can append the external ID to
the supplier 360° profile. View Appending External IDs to Supplier 360° Profiles for details.
• To submit suppliers for risk evaluation, you must be a member of the Supplier Risk Manager or Supplier Risk
User group.
• You must have registered a license with a third-party provider and submitted suppliers for evaluation to receive
evaluation update notifications.

94 PUBLIC Topics About Monitoring Risk for Individual Suppliers
Context
Third-party provider evaluation update notifications include the suppliers that were submitted to your licensed
providers for evaluation. Suppliers submitted to the third-party provider appear in notifications if they have
evaluation updates. Third-party provider evaluation notifications are on by default and can't be turned off.
Follow these steps to submit one or more suppliers to a provider for risk evaluation.
Procedure
1. Open a list of suppliers using one of the following methods:
• Use the supplier search page

• Manipulate the interactive map on the risk dashboard so that the supplier table contains the suppliers you
want
• Go to the provider information page and click Select Suppliers
• Go to the supplier 360° profile and open the tab for the desired risk category.
• Financial
• Environmental & Social
• Open the Suppliers available for risk evaluation tab on the Suppliers evaluated page
2. Check the checkbox next to each supplier you wish to submit for risk evaluation.
 Note
When submitting to EcoVadis, you can only submit 1 supplier at a time.
3. Click Submit for risk evaluation.

4. If your evaluation is about certain risk domains, you may have additional domain-specific steps, as follows:
• If your evaluation is from EcoVadis, you're prompted for additional information; fill out the dialog and click
OK.
Results
To check the status of your evaluation, click the Suppliers evaluated link on the main risk dashboard or open the
specific supplier 360° profile.
 Tip
Dun & Bradstreet (D&B) doesn’t return information for the supplier if the confidence score is less than 8. You
may see an empty score and an empty Not enough info field if the supplier you submitted for evaluation with
D&B, has a confidence score less than 8. You can contact D&B support for this and all other issues regarding
D&B integration and errors.
When a supplier evaluation fails after submitting a supplier for a financial risk evaluation from Dun & Bradstreet
(D&B), the error message from D&B is shown on the Financial risk tab in the supplier 360° profile. D&B has several

Topics About Monitoring Risk for Individual Suppliers PUBLIC 95
error messages and the message will depend on the error. When the supplier information is updated, the supplier is
automatically resubmitted for evaluation.
Email notifications are automatically sent to the internal users who submit suppliers to Environmental & Social
third-party partners for risk analysis. Notifications are sent when suppliers are submitted for risk evaluation, when
supplier risk evaluation updates are received from the third-party provider, and when the supplier risk evaluation
submission fails. Only 1 email is sent per day and it includes all 3 types of notifications (submission, update, failure).
Related Information

Financial Information in a Supplier's 360° Profile [page 100]
Risk Exposure Information in a Supplier’s 360°

Profile
The Risk exposure tab in the Risk area of a supplier's 360° profile displays risk exposure and alert trend
information, and any risk assessment project activity for the supplier.
The Risk exposure tab allows you to quickly assess the supplier's current risk exposure and see exposure trends in
different risk categories. It also highlights the most recent contributing factors for each category's risk exposure.

 Note
Positive incident types aren't shown on the Risk exposure tab.
Only custom fields that contribute to the risk exposure are shown on the Risk exposure tab. Non-contributing
custom fields aren't shown.
The Risk exposure tab shows:
• The supplier's overall Risk exposure, which is highlighted at the top of the tab. The overall risk exposure
combines the exposure in different risk categories based on your company's priorities and is a number
between 1 and 100, with 100 being the riskiest and 1 the least risky.
• A line chart that displays risk exposure trends over time for each of the four risk categories. This chart provides
a quick visual indicator of whether a supplier's risk level has changed drastically in a short period of time, is
deteriorating or improving steadily, or is consistent. A dropdown menu allows you to filter the chart by risk
exposure data for the last 30, 90, or 180 days.
 Tip
Dots on the chart lines represent category risk exposure data on specific dates. Hover your mouse over a
dot to see the exposure for each category on that date.
• Side-by-side columns that highlight key recent risk information in each category. The columns show:
• The current risk exposure for each category. Unlike the supplier's overall risk exposure, category risk
exposure can sometimes be 0 if there's no data for them, or if the data results in an exposure of 0. For
example, if the only data available for the Financial category is a count of 0 bankruptcies, the risk exposure
for that category is 0.
• Key contributing factors for each category's risk exposure. For example, the Regulatory & legal column
shows counts for liens and lawsuits; the Financial column shows UCC filing count; and so on.
• The most recent alerts for the category.
 Tip
Click on a contributing factor link to see more detailed information about it.
• The Engagement Requests area. This area is only visible to users who have permission to create engagement
requests or work with risk assessment projects. If you have those permissions, you can view and manage the
risk assessments associated with the supplier [page 120] in that area.
Related Information

About the Supplier 360° Profile

Risk Incidents and Alert Trends in a Supplier’s 360°
Profile
The Risk incidents tab in the Risk area of a supplier's 360° profile displays the incidents that affect the supplier
and risk trend alerts.
The Risk incidents tab shows:
• An Incidents list that summarizes all of the supplier's risk incidents over the past 2 years. You can filter the
risk incidents to view all risk incidents, the last 30 days, the last 90 days, the last 180 days, or the feedback
reported. Each entry on the list is a summary of the individual incidents that occurred within a short time of
each other, and shows the number of detailed individual incidents it represents in parentheses. Click on any
summary incident to see its details. The Incidents list isn't based on your subscription settings, and shows all
incidents of all types for the supplier whether or not you're receiving alerts for them.
 Note
When a risk incident becomes 2 years old, it's removed from the Risk incidents tab on the supplier's 360°
profile.
• An Alerts area, which shows the alerts you've received for the supplier if you're following it. The alert
information in this area is based on your subscription settings [page 90] and doesn't show alerts for incident
types you've opted not to receive. This area includes:
• A bar chart that shows alert trends by month, color-coded for severity level. This chart provides a quick
visual indicator letting you know if there's a sudden or gradual change to the number of alerts a supplier
is accumulating, and how severe they are. Click a color-coded area on a bar to see the number of alerts it
represents. You can then examine the alerts list to learn more about the trend.
• A summarized list of alerts by incident type, which you can expand or collapse by clicking the arrow to the
left of the Alerts label. The list is collapsed by default. In the list, you can click each incident type to see the
detailed list of alerts it represents, and click each alert to see the associated media article in full.
 Note
Related Information


Enriched Corporate Information in a Supplier’s 360°

Profile
The Enriched corporate info tab in the Risk area of a supplier's 360° profile displays detailed information about
the supplier, including diversity information, corporate structure, and the supplier's country/region rankings.
 Note
The information on this tab is enriched, meaning that SAP Ariba Supplier Risk matches the supplier to several
different sources of information to provide more detailed corporate information. This information is displayed in
three areas on the Enriched corporate info tab:
• General shows information about the supplier such as legal name and address, bankruptcy indicators, number
of employees, revenue, industry, and diversity indicators.
• Family Tree shows a chart of the supplier's corporate structure and legal name and address information for the
supplier's headquarters, domestic ultimate parent company, and global ultimate parent company. Hover over
any company in the family tree chart to see that company's state, city, and country/region.
• Country/Region profile shows World Economic Forum (WEF) rankings for the supplier's country/region in
categories such as market size, infrastructure, market efficiency, and technological readiness. You can click the
links at the bottom of this area to view the reports on which the rankings are based.
 Note
The WEF information is updated annually and represents information collected from the previous year.
 Note
There won't be any WEF rankings for the supplier's country/region if the parameter to remove WEF
country/region risk [page 391] has been enabled.
To see when the information on this tab was last updated, click the Enrichment History link. If a supplier
couldn't be matched to enriched corporate information, the Enriched corporate information tab shows little to no
information and the enrichment history indicates that the supplier hasn't been enriched.
 Note

Related Information

Financial Information in a Supplier's 360° Profile

The Financial risk tab in the Risk area of a supplier's 360° profile displays detailed information about the supplier's
financial risk exposure.
 Tip
Dun & Bradstreet (D&B) doesn’t return information for the supplier if the confidence score is less than 8. You
could see an empty score and an empty Not enough info field if the supplier you submitted for evaluation with
D&B, has a confidence score less than 8. You can contact D&B support for this and all other issues regarding
D&B integration and errors.
The supplier level details are included in the supplier's risk profile PDF export and the Licensed Provider Summary
report.
The data elements that contribute to the risk exposure and appear on the Risk exposure tab of the supplier 360°
profile influence the risk exposure until you change those data elements in the configuration editor, or disable D&B
as a third-party licensed provider.
With the D&B licensed provider integration, D&B continues to monitor a supplier once the supplier is submitted for
evaluation until your contract with D&B expires. The D&B information about the supplier is automatically updated
in the supplier profile.
 Note
When the third-party provider license with Dun & Bradstreet expires, the authorization check fails and an error
message from D&B is shown on the Dun & Bradstreet page in the Content and service providers area on the
Supplier risk administration page. After the license credentials have been updated, D&B begins monitoring
the supplier again.

The Financial risk tab shows:
• Financial risk exposure levels with the following information:

• The overall financial risk exposure level of high, medium, or low for the supplier.
• The external ID for the supplier.
• A chart that shows the financial risk exposure level trend. The chart is based on the choices you make in
the dropdowns for financial risk type and time period.
SAP Ariba Supplier Risk has the time range options of 180 days, 90 days, and 30 days for viewing data
once the data is sent by D&B.
 Note
SAP Ariba Supplier Risk doesn't delete financial data. It's always displayed in the supplier 360° profile.
However, after 180 days it disappears from the graph on the financial tab in the supplier's 360° profile.
The table on the right side of the graph is still displayed.
The financial risk types can include:

• Supplier Evaluation Risk (SER) Rating uses a 1–9 rating that represents the probability a company
will obtain legal relief from creditors or stop operations without paying creditors in full over the next
12 months. A rating of 1 indicates that the probability is small. A rating of 9 indicates the probability is
high. An SER Rating is used as a substitute for the Financial Stress Score (FSS).
• Supplier Stability Index (SSI) uses a 0–10 rating that represents the probability a supplier will
experience significant financial stress over the next 90 days. A rating of 0 indicates the probability is
small . A rating of 10 indicates the probability is high. SSI is used primarily as a complement to the SER
Rating.
• D&B Rating text describes the estimated financial strength and composite credit appraisal assigned to
the subject at the time of the last update.
• D&B Paydex uses a 0–100 rating that is a numeric index assessing the payment performance of
a company. It's derived from a monetary-weighted average of a company's combined individual
payment experiences. Higher values represent company's that pay their bills more promptly. The
numeric index is based on the past 24 months of trade experiences.

• Financial Stress Score National Percentile uses a 1–100 rating that represents the probability that
the company will seek legal relief from creditors or stop operations without paying all of its creditors in
full in the next 12 months. Higher ratings indicate a lower probability of failure.
• A table that shows the financial risk types and the supplier's risk exposure levels for the risk types, based
on the last updated date shown at the top of the list.
• Additional risk information from Dun & Bradstreet (D&B):
• DUNS number for the supplier
• Supplier Evaluation Risk (SER) commentary
• Supplier Stability Indicator (SSI) commentary
• Financial Stress Score (FSS) commentary
• Business legal structure
• Family tree member role
• Out of business indicator
• D&B rating
• SSI failure rate
• FSS score
• FSS risk incidence percentage
• Risk incidents with the following information:
• A link to the article in the title about the incident
• Article date
• Sub-incident type
• Source of the article
• Language of the article
• Feedback reported
• Submit supplier for risk evaluation button.

 Note
When a supplier evaluation fails after submitting a supplier for a financial risk evaluation from Dun &
Bradstreet, the error message from D&B is shown at the top of the Financial risk tab in the supplier 360°
profile. D&B has several error messages and the message will depend on the error. When the supplier
information is updated, you can resubmit the supplier for evaluation.

Related Information

Submitting Suppliers to a Provider for Risk Evaluation [page 94]
Editing a Supplier's External ID
Running the Licensed Provider Summary Report
Regulatory and Legal Information in a Supplier’s

360° Profile
The Regulatory & legal tab in the Risk area of a supplier's 360° profile displays detailed compliance information
about the supplier's regulatory and legal risk exposure.
 Note
The sanction and watchlist information on this tab comes from the Risk Category Information API for Supplier
Risk Exposure.

Compliance Indicators
The compliance violations found for the supplier.
• Sanctions and Watchlists tells you if a sanction or watchlist was found for the supplier. The status can be one
of the following:
• Violation found means the supplier was screened and a sanction or watchlist violation was found. This
status impacts risk exposure with High weight.
 Note
By default, the risk exposure override is set to Overall risk exposure for Sanction and Watchlist, and
the weight is set to High. If the supplier has a sanction or watchlist violation, the risk exposure, and the
regulatory and legal risk category are set to 100 on the supplier's Risk exposure tab in the supplier's
360° profile.
• Violation not found means the supplier was screened but no violation was found. There’s no impact to risk
exposure.
• Violation expired means the violation no longer exists. The risk exposure should no longer be impacted by
the violation.
• Not screened means your organization hasn't screened the supplier for compliance violations. There’s no
impact to risk exposure.
• Screened At is the date the supplier was checked for compliance data.
Evidence
Information supporting the compliance violations.
• Provider is the name of the provider of the compliance data for the supplier. Your provider can have evidence
data from multiple sources.
• Source is the origin of the evidence about the supplier. An example is when there are multiple articles
supporting the evidence about the supplier, only the most relevant source is shown. You can use the
information in the source to find articles from other sources.
• Indicator is the compliance violation. An example is sanction or watchlist.
• Penalty amount is the currency amount of any penalty applied to the supplier for the violation.
• Start Date is the date the compliance violation started.
• End Date is the date the compliance violation ended.
Related Information

Engagement Risk Information in a Supplier’s 360°
Profile
The Engagement requests tab in the Risk area of a supplier's 360° profile displays engagements, risk controls, and
issues for the supplier. Optionally, it can show overall inherent and residual risk for the supplier based on the ratings
for engagements.
To access the Engagement requests tab of the supplier 360°, you must belong to one of the following user groups:
• Supplier Risk Engagement Expert

• Supplier Risk Engagement Governance Analyst
• Supplier Risk Manager
The Engagement requests tab shows:
• Overall inherent risk and Overall residual risk for the supplier, if your site is configured to calculate them.
These ratings can change each time the inherent or residual risk for an engagement changes, or when an
engagement is canceled or archived, because engagements are the source of the overall supplier values. The
Last Updated date next to each rating indicates how recently such a change occurred.
• Engagement requests shows a list of the active (not canceled or archived) engagements for this supplier.
• Risk controls shows a list of shared (vendor- or service-level) risk controls required by engagements for this
supplier.
• Issues shows a list of issues associated with engagements or controls for this supplier.
Related Information

Custom Data in a Supplier’s 360° Profile
The Custom data tab in the Risk area of a supplier's 360° profile displays the custom fields for each risk category,
the risk exposure level for the risk category, and if the custom field is contributing to the risk exposure.
All custom data for the supplier is displayed on the Custom data tab.
The custom fields can have URLs, notes, and sources as optional additional information.
The custom fields can be configured to contribute to the risk exposure for the chosen risk category, or leave them
as information only without contributing to the risk exposure.
If the custom field value has been configured with weight for risk exposure, it's displayed in the supplier's 360°
profile on the Risk exposure tab. Custom fields that don't contribute to the risk exposure aren't displayed on the
Risk exposure tab. Custom fields that don't contribute to the risk exposure are displayed on the Custom data tab.
 Note
All fields must be mapped in the configuration editor to be included in the risk exposure calculation for the
supplier. Any eligible field with missing configuration is ignored and doesn't contribute to the risk exposure.
The Custom data tab shows:
• Risk category lists the custom fields that have been mapped to that risk category for the supplier.
• Risk exposure is the exposure for all contributing factors, including the custom fields, in that risk category.
Each risk category can be expanded to show:
• The Name of the custom field. This name is the same as the Display name in the Field configurations tab of the
configuration editor.
• The Value that is allowed for the type of custom field such as URL, free text, date, numeric, and text. If the
value has been configured with weight for risk exposure, it's displayed in the supplier's 360° profile on the Risk
exposure tab.
• Update date is the date the custom field information was last updated.
• URL is a link used as data for the custom field value.
• Notes are free text used as data for the custom field value.
• Source is the provider of the data used for the custom field value.
• Contributing has a green check mark if the custom field is contributing to the supplier's risk exposure. You can
view the custom field in the supplier's 360° profile on the Risk exposure tab. A red X means the custom field
isn't contributing to the supplier's risk exposure and the field is informational only.

Related Information

Setting Values and Risk Exposures for Fields
Supplier Risk Custom Fields Import File Format
Risk Category Information API for Supplier Risk Exposure
Running the Risk Category Information API Report
Exporting a Supplier's 360° Risk Profile as a PDF

Use these steps to export a supplier's 360° risk profile as a PDF file in order to view it offline or send it as an email
attachment.
Context
The supplier risk profile PDF contains information from all of the tabs and areas in the Risk tile of the supplier 360°
profile.

Procedure
1. On the supplier's 360° profile, if you aren't already in the Risk area, click Risk in the navigation bar.
2. Click the Risk exposure tab.
3. In the top right area of the tab, click Export Risk Profile.
4. Save the exported PDF file to the location of your choice.
Related Information

Supplier Status Active Versus Inactive

Suppliers that are inactive in SAP Ariba Supplier Management solutions aren't eligible for most SAP Ariba Supplier
Risk supplier functions.
Suppliers that are inactive in SAP Ariba Supplier Management solutions no longer appear in the list of followed
suppliers or on the map view, and they don't generate alert notifications on the dashboard, map view, or supplier
list. These suppliers are no longer eligible for submission to a third-party provider for risk evaluation, and they
aren't considered in risk exposure calculations from contributing factors.
You can choose to display active suppliers or inactive suppliers by selecting from a dropdown in the supplier list
page Filters section. When active suppliers are displayed, this dropdown is labeled Active suppliers; when inactive
suppliers are displayed, it's labeled Inactive suppliers. By default active suppliers are displayed.

Topics About Managing Control-Based
Engagement Risk Assessment Projects
About Risk Controls in SAP Ariba Supplier Risk [page 112]
About the Basic Approval Workflow for Control-Based Engagement Risk Assessment Projects [page 114]
The Control-Based Engagement Risk Assessment Process [page 114]
The Issue Management Process for Risk Controls and Control-Based Engagement Risk Assessment Projects
[page 117]
Viewing and Managing Control-Based Engagement Risk Assessment Projects [page 120]
About requesters, project owners, and members of the Project Owner and Change Request Owners project
teams [page 133]
About Residual Risk for Control-Based Engagement Risk Assessments [page 136]
About Inherent Risk in Control-Based Engagement Risk Assessment Projects [page 138]
About Inherent Risk (Commodity) for Control-Based Engagement Risk Assessment Projects [page 139]
Requesting a New Engagement and Starting a Control-Based Risk Assessment [page 140]
Creating a New Engagement Request Triggered by a Non-Catalog Purchase Requisition [page 144]
Linking an Existing Engagement Request to a Non-Catalog Purchase Requisition [page 146]
How to Upgrade an Engagement Project to the Latest Template Version [page 148]
How to Change the Project Owner on the Engagement Page of a Control-Based Engagement Risk Assessment
Project [page 150]
How to Manage Team Membership of the Project Owner Group in a Control-Based Engagement Risk
Assessment Project [page 152]
Viewing and Managing Your Tasks for an Engagement Risk Assessment Project [page 154]
How to Manage Team Membership of the Change Request Owners Project Group [page 156]
How to Add Approvers for a Control-Based Engagement Request or Engagement Risk Assessment Project
[page 158]
How to Approve or Deny a Request for a Control-Based Engagement Risk Assessment [page 159]
How to Change the Supplier Contact on the Engagement Page (Simple Workflow) [page 161]
How to Edit an Engagement Request for a Control-Based Engagement Risk Assessment (Simple Workflow)
[page 162]
How to Edit an Engagement Request for a Control-Based Engagement Risk Assessment (Advanced Workflow)
[page 163]
About Editing a Previously Submitted Engagement Request (Advanced Editing Only) [page 165]
About Working with an Engagement While Updates Are in Process [page 169]
Managing an Engagement After an Update Processing Error [page 172]

110 PUBLIC Topics About Managing Control-Based Engagement Risk Assessment Projects
Canceling an Engagement Request for a Control-Based Engagement Risk Assessment (Simple Workflow)
[page 174]
Canceling an Engagement Request for a Control-Based Engagement Risk Assessment (Advanced Workflow)
[page 175]
Sending Assessment Questionnaires for a Control-Based Engagement Risk Assessment Project (Simple
Workflow) [page 177]
Sending Assessment Questionnaires for a Control-Based Engagement Risk Assessment Project (Advanced
How to Complete an Internal Assessment for a Control-Based Engagement Risk Assessment Project [page 184]
Requesting an Update or Changing the Recipient for a Modular Questionnaire [page 185]
How to Approve or Deny an Internal Assessment Questionnaire for a Control-Based Engagement Risk
Assessment Project [page 187]
How to Assign or Reassign a Control Review or Questionnaire To Do Task for an Engagement [page 188]
How to Fill Out and Submit a Supplemental Engagement Questionnaire [page 191]
How to Approve or Deny a Supplemental Engagement Questionnaire [page 193]
How to Raise an Issue for a Control-Based Engagement Risk Assessment or One of Its Risk Controls [page 194]
How to Define, Analyze, or Resolve an Issue for a Control-Based Engagement Risk Assessment [page 196]
How to Manage Team Membership of the Assignee Project Group in an Issue Management Project [page 199]
How to Add Approvers or Reviewers for an Issue in a Control-Based Engagement Risk Assessment Project
[page 201]
How to Change the Residual Risk of a Control-Based Engagement Risk Assessment Project [page 202]
How to Approve or Deny a Control-Based Engagement Risk Assessment Project [page 204]
Topics About Managing Risk Controls [page 205]
Topics About Processing an Engagement Change Request [page 234]
How to Cancel the Post-Project Approval Phase of a Control-Based Engagement Risk Assessment Project
[page 249]
Topics About Processing a Periodic or Ad Hoc Review for an Engagement [page 250]
How to Archive a Control-Based Engagement Risk Assessment Project (Simple Workflow) [page 262]
How to Archive a Control-Based Engagement Risk Assessment Project (Advanced Workflow) [page 263]
How to Cancel Archiving of a Control-Based Engagement Risk Assessment Project [page 265]
Copying a Control-Based Engagement Risk Assessment Project to Create a New Engagement Request [page
266]
Control-Based Engagement Risk Assessment Status Flow [page 267]
How to Run the Risk Control Summary Report [page 272]
How to Run the Engagement processing error report [page 274]
Analytical Reporting for Control-Based Engagement Risk Assessment Projects [page 275]

Topics About Managing Control-Based Engagement Risk Assessment Projects PUBLIC 111
About Risk Controls in SAP Ariba Supplier Risk
Risk controls define the standards and methods your organization uses to control risk. In SAP Ariba Supplier Risk,
risk controls determine important parts of the process that your organization uses to assess the manageability or
acceptability of the risk of engaging with different suppliers and third parties.
 Note
Behavior concerning review of risk controls depends on your site's configuration for levels of
risk control effectiveness: the value of parameter Expanded levels of risk control effectiveness
(Application.SR.Engagement.ExpandedLevelsOfRiskControlEffectiveness), introduced with
optional feature ARI-9766.
• If No, risk control decisions can be Effective or Ineffective, so an effective risk control is one for which the
review decision is Effective.
• If Yes, there are five possible levels, ranging from Completely effective to Completely ineffective. In
this case, an ineffective control is one with a review decision of Completely ineffective. A risk control is
considered to be at least somewhat effective if the review decision is any of the other four values.
The commodities, regions, and departments involved in an engagement help determine its applicable controls.
Depending on your organization's setup, the engagement's materiality, criticality, and potential for outsourcing
might also play a part in determining its applicable controls. Controls can be relatively general (for example,
a control for IT engagements in all regions for all departments) or specific (for example, a control for critical
IT engagements in Germany that involve the IT department and require physical access to a data center). In
control-based engagement risk assessment projects, controls include several important components that drive the
risk assessment process:
• Required assessments: Controls always include at least one questionnaire that is designed to assess whether
or not the potential risk is manageable or acceptable. One control can include multiple questionnaires;
conversely, multiple controls can use one questionnaire. For example, your organization might have different
controls for HR services in different regions. Each control might include the same general questionnaire to
assess adherence to your general HR standards and practices, and different questionnaires for each region to
assess compliance with local regulations.
• Control effectiveness reviews: Controls require review by a designated decision maker. During the review,
the decision maker reviews the answers to the associated assessment questionnaires and evaluates the
effectiveness of the control. Decision makers are assigned to specific controls and have the domain expertise
necessary to render these judgments.
• Requirements for new control reviews based on control types: Each control has a type that determines how
frequently, and in what circumstances, it requires review in a specific engagement risk assessment project
where a specific supplier is selected. These types allow your organization to maintain strict controls for some
kinds of engagements and looser controls for others, and to fast-track suppliers that already have one or more
effective controls in new engagements with similar characteristics. The three types of controls are:
• Vendor-level: a control that applies generally to a supplier. If a decision maker marks a vendor control
as effective for a supplier, it continues to be effective for that supplier in subsequent engagement risk
assessment projects without additional review. A decision maker only needs to re-review a vendor control
for the same supplier if it was previously marked effective but the control review decision or one of its
underlying questionnaires is expiring or has expired.
• Engagement-level: a control that applies to a specific, individual engagement. A decision maker always
reviews an engagement-level control in every engagement risk assessment project.

• Service-level: a control that applies to a supplier for specific commodities or services. Decision makers
enter an effectiveness decision for each individual service in the engagement. If a decision maker marks a
control as effective for a service, it continues to be effective in subsequent engagement risk assessment
projects for the same supplier without additional review. A decision maker needs to re-review a service-
level control for the same supplier-service combination either if it was previously marked effective but the
control review or one of its underlying questionnaires is expiring or expired, or if the current engagement
risk assessment project includes at least one different service to which the control applies. In the latter
case, the decision maker only reviews the new services. For example, if a control applies to services A, B,
and C, and decision maker marked it as effective for services A and B in a previous engagement, and there
is a new engagement risk assessment project for the same supplier with services B and C, the decision
maker reviews C for the new engagement.
Multiple active engagement risk assessment projects can require the same control, and decision makers can
review a shared control in any engagement where it is pending. The other projects that share the control then
show the same effectiveness decision.
 Tip
Decision makers might also be able to review controls using the Controls tile (all controls under
their responsibility) or the Action queue (the subset currently requiring review due to engagement
activity or control review expiration). These options are available in sites where the parameters
Enable control review workflow (Application.SR.Engagement.EnableControlReviewWorkflow)
and Enable action queue (Application.SR.Engagement.EnableActionQueue) are set to Yes.
Expiration of control review decisions for shared (engagement- or vendor-level) controls depends on whether
the Enable control review workflow parameter is enabled in your site.
• Enable control review workflow set to No: A review decision for a shared control requires re-review when
one of its underlying assessments is expiring or has expired.
• Enable control review workflow set to Yes: The expiration date for a control review decision defaults to the
earliest expiration date amongst its underlying assessments. A decision maker for the control can also set
the decision's expiration date manually.
If your site is set up to support engagement risk assessment projects with no supplier selected, all applicable
controls require a new review in each engagement risk assessment project that does not specify a supplier
regardless of the control type.
Related Information

Setting Up Control Review Workflow
How to Review a Pending Control for Effectiveness Using the Control Review Page [page 228]
How to Review a Pending Control for Effectiveness Using the Control Details Page (Two Levels) [page 215]
Using the Controls List Page [page 206]

About the Basic Approval Workflow for Control-
Based Engagement Risk Assessment Projects
The basic approval workflow automatically identifies engagements that have no controls and therefore only
require a basic approval workflow. The basic approval workflow includes only the phase for engagement request
approval, bypassing the send assessments, evidence collection, control review, and final project approval phases,
to streamline the workflow for these engagements.
A control-based engagement risk assessment has no controls when the engagement request business details or
answers to the inherent risk screening questions don't require controls.
The basic approval workflow starts with an engagement request that has no controls. The engagement request is
flagged in the system to use the basic approval workflow, which requires only the Request Approval phase. After
completing the Request Approval phase, the engagement request moves immediately to Completed status.
If you use the basic approval workflow, only Copy and Archive are available in the Action menu on the engagement
page after the engagement reaches completed status. Any other template configured post-project approval tasks
aren't available for basic approval engagements.
See Require only basic approval for engagement projects with no controls [page 398] for more information on the
basic approval workflow.
The Control-Based Engagement Risk Assessment

Process
Control-based engagement risk assessment projects provide a process for evaluating the desirability of engaging
with a supplier or other third party, assessing the potential risks using your organization's standard risk controls.
Your organization can then determine whether to undertake the engagement, and what degree of monitoring might
be necessary.
Some engagements might not need a risk assessment. Others, such as consulting engagements that involve
access to confidential information or company networks or facilities, or outsourcing engagements that involve
goods and services that are critical to your organization's operations, might require stringent risk assessments.
A control-based engagement risk assessment project involves the following stages.
1. Requesting the engagement and identifying the applicable risk controls: A user in your company who
wants to engage with a supplier or other third party creates an engagement request. The engagement request
includes the following four steps:
1. Business Details, where the requester fills out a business details questionnaire to provide basic
information such as the request title and the commodities, regions, and departments involved. The
business details questionnaire might also include questions about the criticality, materiality, or outsourcing
impact of the engagement.
2. Inherent Risk Screening, where the requester fills out a screening questionnaire that determines which
risk controls and assessment questionnaires are required for assessing the engagement's risk. The
answers to questions in the business details questionnaire determine some of the questions included
in the inherent risk screening, and the answers to those conditional questions in the inherent risk screening
determine the required risk controls.

3. Select supplier, where the requester sees any active suppliers who already have matching controls
for the engagement and selects the engagement supplier. This step recommends active suppliers that
have matching controls for all of the engagement's required controls or that are qualified for all of
the engagement's commodities, and shows active suppliers that have at least 1 matching control. Your
organization might restrict the list of suppliers available in this step to only suppliers with approved
registration projects.
Each supplier card shows the number of matching controls for that supplier that have a review decision or
are already in process. The requester can select the supplier with the largest number of effective controls
to fast-track the process of risk assessment for the current engagement, select a supplier with at least
some effective or pending controls knowing that they are already partially assessed; or search for and
select a supplier with no effective or pending controls with the understanding that new reviews for all
matching controls might take more time.
In sites where requesters can submit an engagement request with no supplier selected, this step is
optional. In that case, depending on your organization's risk assessment process, you or someone else
in your organization might edit the engagement request at a later point to add a supplier, the person
responsible for sending assessment questionnaires might select the supplier before sending external
assessments, or the engagement risk assessment project might proceed to completion with no supplier
selected, using only internal assessment questionnaires.
4. Review request, where the requester reviews the information they have provided before submitting the
request for approval.
If the requester copied the engagement request from a previous engagement risk assessment project,
rather than creating it from scratch, the request includes all of the business details and inherent risk
screening answers from the original engagement, and the requester might use the existing answers or edit
them as required for the new engagement.
Approvers review the submitted engagement request and approve or deny it.
2. Starting the evidence and control process: The responsible user sends the detailed assessment
questionnaires for all of the engagement's open controls to recipients. Open controls are controls that have
not been marked effective before for the supplier, whether because the supplier has not yet been assessed
for them or because one or more of the control's assessments is expiring or expired, or that have not been
assessed for this particular engagement. If there is no supplier selected for the engagement, all controls are
open.
If your site uses the simple workflow for sending assessments, the responsible user sends all of the
engagement's assessments at one time. If your site uses the advanced workflow for sending assessments,
the responsible user might send different assessments in different rounds over a period of time.
If you have an assessment questionnaire set up for imported responses, "sending" that assessment triggers a
request to import the supplier's response, instead of the supplier responding to it via SAP Ariba Supplier Risk.
3. Collecting evidence: Assessment recipients are notified that they need to fill out their risk assessments.
Depending on how the assessment questionnaires are set up, approvers might approve or deny individual
questionnaires in this stage. If the site is set up to allow it, a decision maker might choose to skip an
assessment response, allowing the control review process to continue without one.
4. Reviewing risk control effectiveness: Control decision makers review the answers to submitted risk
assessment questionnaires and render effectiveness decisions for associated controls. If the site is configured
to allow it, a decision maker can optionally skip a control review, allowing the workflow to continue without
setting an effectiveness level for the control or service.
5. Approving or denying the engagement: Approvers review the overall engagement risk assessment project,
including the effectiveness of its controls, and approve or deny the engagement.
6. Post-project approval tasks (optional): Task owners complete additional tasks, which may include completing
supplemental engagement questionnaires, to track post-approval activity, monitor the engagement, or perform

activities associated with the execution of the engagement. This phase is not required and is only included if
your organization has added it to the engagement risk assessment workflow.
7. Processing a change request (optional): A project owner initiates a change request to modify a completed
(live) engagement. An engagement request for which final approval has already been completed is considered
to be live. Changes to such engagements require a specific approval workflow to track proposed changes
which may require additional due diligence tasks such as sending assessments, collecting evidence, and
reviewing risk controls.
8. Processing a periodic or ad hoc review (optional): Project owners assess an ongoing engagement to
determine what adjustments might be required. The date for review is calculated using configured rules, and
the review workflow is based on the defined change request initial approval and final approval phases. Ad hoc
review is simply a review taking place outside the scheduled dates for formal periodic review.
9. Archiving the engagement project (optional): Users with the appropriate permissions archive the
engagement project so that no further actions can be taken on it. Depending on how your site is set up,
archiving can be a single action (simple workflow) or can involve a workflow with approvals (advanced
workflow).
Depending on how your organization's engagement risk assessment process is set up, some of these stages may
also include supplemental engagement questionnaires. These questionnaires are not the same as assessment
questionnaires and are not sent at the same time. Instead, task owners fill them out either as part of the
engagement risk assessment workflow or at any time before the engagement is completed, depending on how they
are set up. Supplemental engagement questionnaires typically gather information that is not directly associated
with control reviews. For example, they may track compliance, report on or monitor aspects of the engagement, or
confirm that someone has performed a required task outside of the engagement risk assessment project.
At any time between when the request is submitted and the engagement is completed or canceled, the requester
and governance experts can create issues or findings to highlight potential problems or concerns with the
engagement as a whole, and control decision makers can raise issues or findings associated with specific controls.
Various stakeholders then complete tasks and add comments to track and resolve those concerns.
In solutions that include SAP Ariba Sourcing or SAP Ariba Contracts, a sourcing or contract project can be made a
follow-on project from the engagement risk assessment, linking the projects together.
Your site's control-based risk assessment project template defines:
• The content in the engagement request business details and inherent risk screening questionnaires, including
which inherent risk screening questions trigger specific controls and whether the inherent risk screening
questionnaire generates an inherent risk rating.
• Who is responsible for sending control-based risk assessments.
• Who is responsible for approving the engagement request and approving the overall engagement.
• Whether or not there are other tasks in the workflow, such as To Do tasks related to business details or review
tasks, and who is responsible for completing them.
• Whether or not the engagement includes supplemental questionnaires and whether or not those
questionnaires require approval.
• The process for modifying completed engagement requests, using the change request workflow.
• The process for archiving engagement projects in sites that use the advanced archiving workflow.
Each engagement-level risk assessment questionnaire also has its own project template, which defines:
• Whether the questionnaire is internal or external and, for internal questionnaires, its recipients.
• The content of the questionnaire.
• Whether or not the questionnaire can expire and, if so, its expiration schedule.

• Whether or not the questionnaire has its own approval flow and if so, who is responsible for approving it.
• Whether or not updates to the questionnaire also require approvals.
Related Information
Sending Assessment Questionnaires for a Control-Based Engagement Risk Assessment Project (Simple Workflow)
[page 177]
Skipping an Assessment Response [page 222]
How to Skip a Control Review [page 225]
Adding Periodic and Ad Hoc Review to the Engagement Workflow
Setting Up a Modular Questionnaire to Import Supplier Responses from the Human Rights Assessment on SAP
Business Network
Setting Up a Modular Questionnaire to Import Supplier Responses from an External System
Creating and Managing Findings [page 303]
Creating a New Engagement Request Triggered by a Non-Catalog Purchase Requisition [page 144]
Linking an Existing Engagement Request to a Non-Catalog Purchase Requisition [page 146]
The Issue Management Process for Risk Controls

and Control-Based Engagement Risk Assessment
Projects
Issue management is the process by which engagement requesters, control decision makers, and experts at your
company raise, analyze, and resolve issues related to control-based engagement risk assessment projects and
their required risk controls.
Engagement risk assessment project stakeholders can raise issues for the overall risk assessment project. Control
decision makers can raise issues for specific controls during a control review. For example, a request approver who
is concerned that the required controls may not address a potential additional risk can approve the request but
raise an issue. Or during control review, a control decision maker might raise an issue to clarify some aspect of
the control's potential effectiveness. Issues created for vendor- and service-level controls, and their residual risk
ratings, are also automatically included in all engagement risk assessment projects that require the control and
that include the same supplier (for vendor-level controls) or commodities (for service-level controls). That way,
control decision makers have visibility into the issues that shaped previous decisions about control effectiveness in
similar engagements.

The nature, severity, and probability of an issue and whether or not it has a satisfactory resolution are factors
control decision makers consider when reviewing a control and determining its effectiveness, and that approvers
for the overall engagement risk assessment project consider when finally approving or denying the engagement.
Depending on the issue management setup in your site, issue probability and severity may also determine the
residual risk rating of the issue.
The residual risk rating of the engagement may in turn be defined as:
• The highest residual risk of any issue created for the current engagement or for any risk control required for the
current engagement
• (If calculating residual risk by risk domain, using the Issues method) The highest residual risk of any issue
associated with any risk control required for the current engagement
 Note
If your site is set up to calculate residual risk by risk domain, but using the Control Effectiveness method, then
residual risk for issues is not used to determine the overall engagement residual risk.
The issue management process provides an automatic and auditable process for collecting all of the pertinent
information about an issue and involving relevant experts in its analysis and resolution. It includes five stages:
1. Issue creation: a user becomes aware that there is a potential issue with a proposed engagement while the
control-based engagement risk assessment project in progress, either for the engagement in general or for one
of its required controls, and creates an issue in Draft status. The user who creates the issue might fill out most
or all of the information for it, including specifying assignee, or might leave most of the issue's fields blank at
this time. The Comments area is not yet available during issue creation.
2. Issue definition: the issue assignee (if there is one at this point) and owners of various issue definition tasks
edit the issue to provide more detailed information, add comments, and complete their assigned tasks.
The Issue definition phase ends when a user completes its final task. The issue status then moves from Draft
to Open.
3. Issue analysis: the assignee (if there is one at this point) and owners of various issue analysis tasks review
the issue details, edit the issue to update or add information if necessary, add comments, and complete
their assigned tasks. They might or might not propose resolutions at this stage. If the issue has not yet been
assigned, they also specify a user who can resolve the issue as the assignee at this point.
The Issue analysis phase ends when a user completes its final task. The issue status then moves from Open to
In Progress.
4. Issue resolution: the assignee and owners of various issue resolution tasks review the issue information, edit it
to propose or finalize its resolution, and complete their assigned tasks. If all of the information in the issue form
has not yet been filled out by now, it is added and finalized at this point, including the final issue severity and
probability.
The Issue resolution phase ends when a user completes its final task. The issue status then moves from In
Progress to Resolved.
5. Issue resolution acceptance: task owners complete any other assigned asks related to issue resolution
acceptance, and the approvers assigned to the issue review the resolution and finally approve or deny it.
• If the issue resolution is approved, the issue moves from Resolved to Completed status.
• If the issue resolution is denied, the issue moves from Resolved to Request Denied status. In this case,
issue assignees can rework and then resubmit the resolution.
If the issue assignee team management feature is enabled and set up in your site and your issue management
projects include an assignee project group, at any point between when the issue is created and when it is resolved,
users with the appropriate permissions can add assignees to the issue from the issue page.

 Note
If the site configuration parameter Enable assignee team management on issue projects
(Application.SR.IssueManagement.ManageIssueAssigneeTeam) is disabled, the Manage team button
is not available in the upper right corner of the issue page. This means the assignee team can't be managed on
the issue page.
 Note
Members of the Project Owner project group in the issue management project and members of the
Supplier Risk Engagement Governance Analyst global user group have permission to edit an issue. If issue
management projects in your site include an assignee project group, members of that group can also edit an
issue. If your site uses role-based access control in the issue form, members of these groups can only edit
those sections of the issue form to which they have access. Neither task ownership nor access privileges by
themselves grant permission to edit an issue.
Someone can become an issue assignee in any of the following ways:
• By creating the issue.

• Through the project template.
• By membership in the Project Owner group of the associated control-based engagement risk assessment
project. When someone creates an issue for an engagement risk assessment project, the current membership
of its Project Owner project group is automatically copied to the issue assignee project group. This copy
is a one-time operation at issue creation. There is no ongoing synchronization in membership between
the engagement risk assessment Project Owner project group and assignee groups in its associated issue
management projects.
• When someone with permission to edit the issue selects them as the assignee on the issue form.
• When someone with the appropriate permissions adds them as an assignee teams member on the issue page.
Your site's issue management project template defines:
• The questions in the issue form.

• Whether or not specific sections of the issue form have access control settings so that only users with specific
roles can fill out those sections of the form.
• How some assignees are added to the issue, either through the template or using a question in the issue form.
• The tasks in the issue management workflow and their owners.
• Who is responsible for approving the issue resolution.
Master data in your site defines:
• The probabilities and severities you can specify for an issue.

• Whether or not those probabilities and severities translate into a residual risk rating for the issue.
Related Information


How to Add Approvers or Reviewers for an Issue in a Control-Based Engagement Risk Assessment Project [page
201]
Viewing and Managing Control-Based Engagement

Users who have permission to work with control-based engagement risk assessment projects can view and
manage them and their associated issues or findings on the Supplier Risk dashboard or on individual supplier
360° profiles, where they can open individual engagement requests to complete tasks and view details.
• Viewing and tracking engagement risk assessment projects on the Supplier Risk dashboard and in supplier
360° profiles [page 120]
• Using the engagement page [page 122]
 Note
Your ability to view and complete tasks for individual control-based engagement risk assessment projects is
determined by your global user group membership and your assignment to tasks in specific engagement risk
assessment projects.
Viewing and Tracking Engagement Risk Assessment Projects on the Supplier Risk Dashboard
and in Supplier 360° Profiles
The Engagement requests page, which you access by clicking the Engagement requests tile on the Supplier Risk
dashboard, shows all of the engagement risk assessment projects you have permission to see. The Engagement
requests tab of an individual supplier 360° profile shows engagement risk assessment projects for that supplier
along with their associated issues, findings, and risk controls.
The Engagement requests page includes three tabs, which allow you to view or manage engagement risk
assessment projects at various stages:
• Edit and save or submit your draft engagement requests on the New requests tab, which shows
engagement requests that you have created and saved but not submitted (in Draft status). Click the
engagement request name to open your draft, finish it, and submit it.
• Track and manage engagement risk assessment projects that are in progress on the In progress tab:
• View or approve submitted engagement requests: Click the name of an engagement risk assessment
project with Submitted status to view its details on the engagement page. If you are an approver, you can
approve or deny a request here [page 159].
• Edit or cancel engagement requests:
• If your site uses the advanced editing feature, you can edit or cancel engagement requests at any time
before final approval. Click the name of an engagement risk assessment project to edit [page 163] or
cancel [page 175] it. If the status of the engagement request is In Edit, only the user who originated
the edit can continue the editing process; in this case, the engagement page shows the name of the
editing user.

• If your site does not use the advanced editing feature, you can edit or cancel submitted or approved
engagement requests: Click the name of an engagement risk assessment project with Submitted
or Pending Assessment status to edit [page 162] or cancel [page 174] it before assessment
questionnaires are sent out.
• Raise, track, and resolve issues for the overall engagement: Click the name of an engagement
risk assessment project with Submitted, Pending Assessment, In Assessment, Pending Risk Control
Decision, or Pending Final Approval status to raise [page 194], define, analyze, and resolve [page 196]
issues at the overall engagement level.
• Manage the residual risk rating of the engagement: Click the name of an engagement risk assessment
project that has not yet received final approval, to view [page 136] or edit [page 202] its residual risk. You
only see residual risk for engagement risk assessment projects for which residual risk has been calculated,
as described in About Residual Risk for Control-Based Engagement Risk Assessments [page 136]. If your
site is set up to calculate residual risk by risk domain, you cannot edit the residual risk value manually.
• Send assessment questionnaires: Click the name of an engagement risk assessment project with
Pending Assessment status to view its details on the engagement page. If you are one of the people
responsible for sending assessment questionnaires for the engagement, you send them from here using
either the simple [page 177] or advanced [page 180] workflow, depending on your site configuration..
• View and approve assessment questionnaires for an engagement risk assessment project with In
Assessment, Pending Risk Control Decision, or Pending Final Approval status: To see the assessment
questionnaires sent for a project:
• Click the name of the project: on the engagement page, you can see more detail about the project and
approve or deny assessments.
• Click the Expand link in the Assessments column, to see the list of assessments. Then click View to
see details about an assessment. From there you can approve or deny it. Assessments with imported
status data do not have the View option because the underlying details are stored outside SAP Ariba
Supplier Risk.
If you are a recipient for an internal assessment questionnaire, you complete it [page 184] or choose a
different recipient [page 287] on the Home dashboard. If you are an approver for an internal assessment
questionnaire, you approve or deny it [page 187] using Manage My Tasks .
You can also see all of the external modular supplier management questionnaires sent to a supplier,
including those sent as assessments in the current control-based engagement risk assessment
project and completed questionnaires that are associated with the current project's controls, on the
Questionnaires tile in their supplier 360° profile. If you are an approver for an external assessment
questionnaire, you approve or deny it [page 291] on the Questionnaires tile in the supplier's 360° profile.
• View and review risk controls: Click the name of an engagement risk assessment project with Pending
Risk Control Decision status to view its risk control review tasks, and click View next to any completed
review task to view its details, including associated questionnaires. If you are a decision maker for a control
that requires review in the current engagement, you can review it for effectiveness from here using the
control details page [page 215] (if your site has the control review workflow feature enabled) or the control
review page [page 228] (if it does not).
• View, fill out, or approve supplemental engagement questionnaires: Click the name of an engagement
risk assessment project with Submitted, Pending Assessment, In Assessment, Pending Risk Control
Decision, or Pending Final Approval and click View next to any completed To Do task for a supplemental
engagement questionnaire to view the questionnaire. If you are a To Do task owner, you can fill out and
submit it [page 191] here. If you are an approver, you can approve or deny it [page 193] here.
• Approve or deny the engagement: Click the name of an engagement risk assessment project with
Pending Final Approval status to view its details, including tasks related to final approval. If you are an
approver for the overall project, you can approve or deny it here [page 204].

• Review completed and canceled risk assessment projects on the Completed tab.
• If your site uses the advanced editing feature, you can edit or cancel engagement requests that have been
denied, listed on this tile. Click the name of an engagement risk assessment project to edit [page 163] or
cancel [page 175] it.
• If your engagement risk assessment workflow includes a post-project approval phase, projects in that
phase also show on the Completed tab. Click the name of an engagement risk assessment project with
In Progress or Completed status and click View next to any completed control review task to view its
details. Click View next to any completed To Do task for a supplemental engagement questionnaire in the
post-project approval phase to view the questionnaire. If you are a To Do task owner, you can fill out and
submit it [page 191] here. If you are an approver, you can approve or deny it [page 193] here. If you have
permission to do so, you can cancel the post-project approval phase [page 249] here.
• If your site uses the change request feature to modify live (Completed) engagements, click the name to
start a change request [page 235] or work with a change request already in progress [page 234].
• If your site has the engagement review workflow [page 374] feature enabled, click the name of an
engagement for which you want to start a periodic or ad hoc review [page 250] or work with a review
already in progress [page 254].
You can sort some columns, such as Name, by clicking the column name. You can filter other columns, such as
Status, by clicking the filter icon ( ) in the column header, then choosing the filter values.
 Note
If the feature for engagement list page enhancements (ARI-15401) is enabled in your site, filter and sort are at
the top of the engagement list page, not on the column headers.
 Tip
To remove the autofill history in the Filters for engagement requests popup, clear your browser’s cache.
To export the list of risk assessment projects on any of the tiles in the Engagement requests area to a Microsoft
Excel file, click the download icon ( ). The exported file includes the list of risk assessment projects on the tile
based on current filters and sorting.
Using the Engagement Page
Once a requester has submitted a control-based engagement request, you can click its name to open the
engagement page and see engagement details if you are:
• The requester.
• The project owner.
• A member of the Project Owner project group or, for an engagement with a change request in progress, the
Change Request Owners project group.
• A member of the Supplier Risk Engagement Analyst or Supplier Risk Engagement Governance Analyst
group.
• An approver, reviewer, or task owner for one of its tasks.
This page includes the following sections:

• Engagement summary:
• Basic information about the engagement, including its commodities, regions, departments, current status,
the name of the requester, and the date the request was submitted.
• Depending on your site's configuration, this area might also show the engagement's inherent risk based on
commodity [page 139] or inherent risk screening questionnaire score [page 138].
In sites configured to calculate inherent risk by risk domain, you can hover the cursor over the  next
to the Inherent risk value to display further detail. A tooltip shows the list of risk domains assigned to
sections of the inherent risk screening questionnaire, with the inherent risk rating for each domain.
• Residual Risk, if this rating has been calculated for the engagement. For details on engagement-level
residual risk calculations, see About Residual Risk for Control-Based Engagement Risk Assessments [page
136].
In sites configured to calculate residual risk by risk domain, you can hover the cursor over the  next
to the Residual Risk value to display further detail. A tooltip shows the list of risk domains assigned to
sections of the inherent risk screening questionnaire, with the residual risk rating for each domain.
 Tip
Residual risk for an engagement is calculated or re-calculated when it moves to Completed status,
when a change request or review is completed, or in response to changes in the underlying factors
(issues, findings, inherent risk, or control effectiveness) that influence the residual risk evaluation. If
the update processing wasn't quite as fast as the redisplay of the engagement page, you might still see
the prior residual risk value. In this case, you can use the Refresh status link at the top of the Tasks
section to refresh the page and show the newer residual risk value.
• For a completed engagement for which there has been change request activity, this section includes a link
to the engagement history [page 130].
• Supplier: basic information about the engagement supplier, including name and email address of the primary
supplier contact, if a supplier is selected. You can click the supplier's name to open their 360° profile.
• Engagement risk by risk domain: a list of the risk domains assigned to sections of the inherent risk screening
questionnaire, with the calculated inherent risk for each. This section displays only in sites configured to
calculate inherent risk by risk domain.
• The Residual risk and Contributing risk controls columns display here if at least one of the two domain-
based residual risk methods is enabled.
• Hover over a value in the Contributing risk controls column to display a tooltip showing a list of the
controls contributing to the residual risk rating for that risk domain, with the residual risk value for each.
From there you can click on a control name to navigate to its control details page.
• Approval flow: a graph that shows the five general steps of the engagement risk assessment process with
separate nodes for each assessment questionnaire task and control review task required by the current
engagement risk assessment project.
• Tasks: a table where you can view the tasks for the engagement risk assessment project, and where task
owners and approvers can complete their assigned tasks, including control review tasks. You can view task
details from here.
• Risk Controls: a table where you can view detailed information about all of the engagement's required controls.
You can view the control name, type, and owner; the associated assessments; the control review status; the
review decision, if there is one, for a vendor- or engagement-level risk control; the assignee (control decision
maker); and, for completed control reviews, the completed date. Control decision makers can review their
assigned controls here.
• Risk Assessments: a table where you can view the assessment questionnaires required for the current
engagement project, for which evidence needs to be (Pending tab) or has already been (Completed tab)

collected. You can view current assessment answers and approval information here and, if you are the recipient
of an internal assessment, fill it out and submit it.
• Issues or Findings: A table where you can view issues and findings created for the current engagement and its
controls, as well as any created for the current engagement's vendor- or service-level controls in any previous
engagement. The label for this table depends on whether the findings feature is enabled in your site.
• Request Details: all of the business detail and inherent risk screening questions and answers from the
engagement request.
Related Information

The Issue Management Process for Risk Controls and Control-Based Engagement Risk Assessment Projects [page
117]
Allow users to create general and engagement-related findings [page 349]
Creating a Finding [page 303]
Using the Action Queue
The Action queue page allows users to access their open approvals, To Do tasks, and other actions for control-
based risk assessment projects. The Actions tile on the Supplier Risk dashboard shows the number of open
approvals, To Do tasks, and other actions.
If the action queue for engagement projects feature (ARI-9396) is enabled in your site, you’ll find the Actions tile on
the Supplier Risk dashboard. The tile takes you to the Action queue page.
 Note
The Actions tile is only visible on your Supplier Risk dashboard when you have open approvals, To Do tasks,
and other actions for engagement projects that you're assigned to either as an individual or as a member of a
project group.
If any approvals, To Do tasks, or actions need immediate attention, determined by due dates or expiration dates,
the number of these actions appear at the bottom of the Actions tile in an orange color. They also show on the
Action queue page with the status Due soon in an orange color and Overdue in a red color.
The Action queue page shows the open approvals, To Do tasks, and other actions for engagement projects the user
is assigned to either as an individual or as a member of a project group.
Users click the linked name to complete the action rather than going to individual engagement projects or looking
for email notifications.

The actions are sorted by the earliest due date. If there's no due date, the actions are sorted by creation date.
The columns on the Action queue page can be added or removed.
Table 3: Action Queue Table

Column Description
Actions The name of the To Do task, approval, or other action, and the
action type. For example, To Do for my document 1, To Do task
| Engagement request: WS12345.
The name of the To Do task, approval, or other action is a link.

For example, if you click the name of an engagement request
To Do task, it takes you to the survey task page if it’s a survey
document task.
Any To Do tasks that don't have documents take you to the

engagement summary page.
The WS (workspace) ID is a link. For example, if you click the

ID for an engagement request, the link takes you to the engage-
ment project details. If the ID is for an issue, the link takes you
to the issue.
Status The action status.
Status types include Waiting for response, Ready, In

progress, Due soon, and Overdue.
 Note
In progress is only used for engagement request periodic
reviews. You can find the In progress status if you select
Action Start review . The action remains in the ac-

tion queue until the periodic review is completed. If the
review is canceled, then the status changes to Ready.
A count of the Due soon and Overdue status show in orange at

the bottom of the Actions tile on the Supplier Risk dashboard.
Created date The date the document that needs to be acted on was created.
Due date The date the document that needs to be acted on is due.
Supplier Supplier name

Column Description
Assignee The individual user or project group assigned to the action.
If a project group is the assignee, no individual user has been

assigned to the action.
Approval task actions have 1 action per approver. As each user

approves, their individual action is set to complete but it has
no effect on the other actions for that approval task if other
approvers are expected.
If a group is the assignee for an approval task, and it’s manda-

tory for all members of the group to act, the action stays until
all users in the group have responded. For example, when a
member of the project group approves an action, the action
disappears from their action list but the action remains in the
lists for the other members of the project group until they
approve.
Table 4: Action Details

Need attention,
Action name navi- Action start trig- Action due date overdue and due
Action type gation ger Action end trigger source soon
Approval tasks: Engagement re- When the task is When the task is The task due date The actions that
available for appro- approved. configured on the need attention, as
• Engagement quest approval task
val. project template indicated on the
request appro- takes you to the
for the engage- Actions tile, are ei-
val task task details page. ment, assessment, ther overdue or due
• Assessment or issue. soon.
questionnaire Assessment ques-
approval task tionnaire approval The action shows
• Issue approval task takes you to as Due soon when
task the task details it's within 7 days of
page. the due date.
Issue approval task The action shows

takes you to the as Overdue when
task details page. the due date is in
the past.

Need attention,
Assessment ques- Engagement inter- When the assess- When a response to By default, 7 days
tionnaire ments are sent, the modular ques-
nal modular ques- from when the as-
or reopened for re- tionnaire is submit-
tionnaire takes you sessment is sent,
sponse or request ted and the assess-
to the engagement for edit. ment is pending ap- or reopened for re-
page. proval. sponse or request
for edit.
Any other internal
modular question- An authorized user
naire takes you to can customize this
the questionnaire number of days
details page. using the Days
till due date
for assessment
questionnaire and
control review
actions setting
on the Control
review tab of the
Configure periodic
reviews page in the
settings ( ) area.
Control review The action name When the assess- When the control is By default, 7 days
link takes you to ment is sent. reviewed.
from when the
the control details
assessment is ap-
page.
proved and the
control is opened
for review, or avail-
able for review, or
similar.
An authorized user
can customize this
number of days
using the Days
till due date
for assessment
questionnaire and
control review
actions setting
on the Control
review tab of the
Configure periodic
reviews page in the
settings ( ) area.

Need attention,
Control review expi- The action name The control expira- When the control is The number of
ration link takes you to reopened or a new days in the
tion date plus the
the control details expiration date is Control review
number of days in
page. set. configuration
the Control review found at
configuration.
Supplier
When the control risk administration
expiration date is Configure

set during: periodic reviews
on the Control
• Reviewing the review tab.
engagement-
type control,
service-type
control, or ven-
dor-type con-
trol
• Updating the
expiration
from the
Action menu
on the control
details page
plus the number

of days in the
Control review
configuration is
set.
For example, if the

control expiration
date is set to Janu-
ary 23, and the con-
figured number of
days is 7, the action
appears in the ac-
tion queue on Janu-
ary 16.
Engagement The action name When the engage- When the template The due date set
project upgrade link takes you to the ment project is upgrade is com- in the Additional
engagement page made available for plete for the en- settings for
where you can see upgrade. gagement project. template upgrade
the engagement popup when the en-
details. gagement project is
made available for
upgrade.

Need attention,
Engagement re- The action name When the engage- When the periodic The configured
quest periodic re- link takes you to the ment request is el- review on the en- Date to complete
view engagement page. igible for periodic gagement request the review found
review. is completed. at Supplier
risk administration
Configure
periodic reviews
on the
Engagements tab.
To Do tasks: Engagement re- When the task is When the task is The task due date
active and can be completed. configured on the
• Engagement quest To Do task for
started. project template
request To Do an assessment task
for the engage-
task takes you to the ment, assessment,
• Assessment engagement page. or issue.
questionnaire Any other engage-
To Do task
ment To Do task
• Issue To Do
takes you to the
task
task details page.
Assessment ques-
tionnaire To Do task
takes you to the
task details page.
Issue To Do task
takes you to the
task details page.
Related Information

Viewing Engagement History
As soon as a completed control-based engagement risk assessment project has at least one submitted change
request, a link to view history for the project becomes available on the engagement's summary page.
Prerequisites
To view engagement history:
• You must have view permission for the engagement via your group membership or role in the project. Users
with this permission include:
• The user who created a review or change request currently in progress
• Members of the Project Owner project group
• Members of the Change Request Owners project group
• Members of the Supplier Risk Engagement Governance Analyst group
• The engagement must have at least one post-completion activity. These activities include
• Change request
• Periodic or ad hoc review
• Template upgrade
• The activity may be in progress, completed, or canceled. If you revert a draft change request or a draft review,
these activities are not recorded in the engagement history.
Context
The Engagement history page shows the history of an engagement, from the version that first received final
approval through the current state. It shows all change requests and periodic or ad hoc reviews processed beyond
draft status, and any skipped periodic reviews.
Procedure
1. Options for opening the engagement:

• Click the Engagement Requests tile on the Supplier Risk dashboard, locate the engagement, and click its
name.
• In a supplier 360° view, click the Completed tile, locate the engagement, and click its name.
• If the engagement is available for or currently in periodic review, and the Action Queue feature is enabled:
click the Actions tile on the Supplier Risk dashboard, locate the action for periodic review of this
engagement, and click that link.
2. Depending on the status of the engagement request and your user permissions, a confirmation message may
offer a choice between navigating to an ongoing Change Request or Review, or to the engagement page for the
current live version of the engagement. Choose an option that allows you to see the engagement page.

3. In the Engagement Summary section of the engagement page, click the Engagement history link. The link
appears below the Live engagement request version, only for an engagement for which history records exist.
Results
The Engagement History page shows activity for this engagement. By default, all activity is listed in reverse
chronological order. Activities listed include:
• Current draft change request or review
 Note
If you revert a draft review or change request, that activity no longer appears in the engagement history.
• Submitted (in progress) change request or review. If you cancel a submitted review or change request, it
remains in the history with a status indicating it was canceled.
• Completed change request or review
• Skipped periodic review
• Template upgrade
From here you can click on the Activity date text to see the history record for that activity, or use the checkboxes at
left to choose rows for comparison.
Related Information
Comparing Two Rows in the Engagement History [page 131]
Comparing Two Rows in the Engagement History
Choose two rows in the engagement history to display a page illustrating the differences between them. Choose
one row to compare it to the current live version.
Prerequisites
The Engagement history link must be available for the engagement project. See the Prerequisites listed in Viewing
Engagement History [page 130].

Context
The Engagement history page shows change request and review activity for an engagement project, from the
version that first received final approval through the current state.
From here you can use the checkboxes at left to choose two rows for comparison, or choose one row to compare it
to the current live version.
Procedure
1. To open the engagement:

• Click the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view. In the
Completed list, locate the engagement, and click its name.
• In the case of a periodic review, if the Action Queue feature is enabled: in the Action Queue, click the
periodic review link for this engagement.
2. Depending on the status of the engagement and your user permissions, a confirmation message may offer
a choice between navigating to an ongoing Change Request or Review, or to the engagement page for the
current live version. Choose an option that allows you to see the engagement page..
3. In the Engagement Summary section of the engagement page, click the Engagement history link. The link
appears below the Live engagement request version, only for an engagement for which history records exist.
4. You can choose one activity row to compare it to the current live version. Select two activity rows to compare
them to each other. Use the checkbox at the left of each row to make your selections.
5. Clicking in a selection checkbox causes the Compare button to become available. After selecting one or two
rows, click the Compare button.
Results
The comparison appears below the list of engagement project activities. Rows where the two versions differ are
highlighted.
• The Business details section shows the list of business details questions, with Older (row representing earlier
version or activity) and Newer (row representing more recent version or activity) responses.
• The Inherent risk screening section shows the list of inherent risk screening questions, with Older (row
representing earlier version or activity) and Newer (row representing more recent version or activity)
responses.
• The Tasks section shows all tasks for the engagement. Columns for Older status and Newer status indicate
the status of each task for the two versions of the engagement.
• The Risk controls section shows summary information for all controls for the engagement. Columns for Older
status and Newer status indicate the status of each control for the two versions of the engagement.
• The Risk assessments section shows summary information for all assessments for the engagement. Columns
for Older status and Newer status indicate the status of each control for the two versions of the engagement.

About requesters, project owners, and members of
the Project Owner and Change Request Owners project teams
Being the requester, project owner, or a member of the Project Owner or Change Request Owners project group
for a control-based engagement risk assessment project automatically confers certain permissions in the project.
The following roles in control-based engagement risk assessment projects carry specific permissions.
Role Description Permissions
Requester The person who created the engagement • View the engagement and perform
request. The Requester field on the en-
any tasks associated with viewing
gagement page shows the name of the
the engagement, such as creating is-
requester, which doesn’t change.
sues.
The requester is also the default project
• Inherit permissions from member-
owner of a control-based engagement
ship in the Project Owner project
risk assessment project and is automat-
group while also a member of that
ically added to its Project Owner project
group.
group.
If a different person is made project

owner, the requester remains a member
of the Project Owner group until man-
ually removed.

Owner The explicit project owner of the con- • View the engagement and perform
trol-based engagement risk assessment
project. The Owner field on the engage-
ment page shows the name of the cur-
rent project owner, which might change. sues.
• Inherit permissions from member-
The requester is the default project
ship in the Project Owner project
owner of a control-based engagement
group.
risk assessment project. A user with the
appropriate permissions might change
the project owner using one of the follow-
ing mechanisms:
• By answering a question about

project ownership in the engage-
ment request, if the request includes
a question with the appropriate con-
figuration. Note that organization's
terminology and processes deter-
mine how this question is phrased.
• By choosing Action Manage
team on the engagement page

[page 150].
The new project owner replaces the pre-

vious owner of the control-based engage-
ment risk assessment project and is also
automatically added to its Project Owner
project group. The current owner can’t
be removed from the Project Owner
project group.

Project Owner project group team mem- Members of the Project Owner project • View the engagement and perform
ber group in the control-based engagement
risk assessment project.
By default, the requester and any other sues, even if not a requester, owner,
user who is subsequently made owner or member of the Supplier Risk
of the project are added to the Project Engagement Governance Analyst
Owner project group in addition to any group.
members added by the project template. • Complete any tasks to which the
A user with the appropriate permissions Project Owner project group is as-
might change the group membership us- signed.
ing one of the following mechanisms:
• Add approvers or reviewers for tasks
• By editing project team member- that do not have template-defined
ship in the advanced view. You can approvers or reviewers.
both add and remove team mem- • Be the recipients for internal as-
bers using this mechanism except sessments if the assessment ques-
for the current owner, who is always tionnaire project does not have an
a member of this group. Internal Recipients project
• By choosing Action Manage group or if that project group is
empty.
team on the engagement page
[page 152]. You can add and remove
• Edit the engagement request if they
are also a member of the Supplier
team members.
Risk Engagement Requestor global
If your site uses a dedicated assignee user group.
project group for issue management
projects, when someone creates an issue
for a control-based engagement risk as-
sessment project, the current member-
ship of its Project Owner project group
is automatically copied to the issue as-
signee project group in addition to any
template-defined membership. This copy
is a one-time operation at issue creation.
There is no ongoing synchronization in
membership between the engagement
risk assessment Project Owner group
and assignee groups in its associated is-
sues management projects.
Creator of a change request A member of the Project Owner project These are the only users who can open a
team for an engagement can create a Draft change request for further editing
change request. The Created by field for and submit it.
the change request contains this name,
which does not change.
"On behalf of" user for a change request The user creating a change request can
optionally specify another user on behalf
of whom the change request is created.

Change Request Owners project Members of the Change Request For an engagement with a change re-
group team member Owners project group in the control- quest in progress, this group has the
based engagement risk assessment
same permissions as members of the
project.
Project Owner project group. In addition,
By default, the Created by user and members of this group can:
"on behalf of" user are added to the
• Cancel an in-progress change re-
Change Request Owners project
quest
group in addition to any members added
by the project template. A user with the
• Start an edit of an in-progress
change request (if this feature is en-
appropriate permissions might change
abled)
the group membership by
• Editing project team membership in

the advanced view. You can both add
and remove team members using
this mechanism.
• By choosing Action Manage
change request owners on the

engagement page [page 156]. You
can add and remove team members.
Depending on how your organization has set up its control-based engagement risk assessment projects, they
might include any number of other projects groups that are responsible for completing specific tasks in different
parts of the process.
Related Information
Project [page 150]
How to Manage Team Membership of the Project Owner Group in a Control-Based Engagement Risk Assessment
Project [page 152]
About Residual Risk for Control-Based Engagement

Risk Assessments
Residual risk refers to the risk that remains after all risks associated with a supplier or third-party engagement have
been identified, assessed, and handled.
During the control-based engagement risk assessment process, the requester and various stakeholders might
notice aspects of the engagement that cannot be mitigated by standard risk controls, or for which controls are not
sufficient for one reason or another. They therefore have a direct bearing on an engagement's residual risk.

Your site might be set up to use issues or findings to track these situations and the process of addressing them.
Residual Risk for Issues
The Residual Risk field for an issue shows its residual risk based on its probability and severity. This field displays a
value once the issue severity and probability are set.
A customer administrator at your organization defines the ranges of probability and severity that can be assigned
to an issue as well as the rating of residual risk for each possible combination of the two. Typically, issues with
higher severity or probability have greater residual risk. There is not always a direct relationship, however, between
probability or severity and the residual risk rating. For example, your organization might decide that issues with
very low severity have the lowest residual risk even if they are highly probable. Conversely, issues with very high
severity might have the highest residual risk even if they are not very likely.
Issues associated with an engagement include:
• Issues raised for the engagement as a whole

• Issues raised for an engagement-level control
• Issues raised for vendor- and service-level controls associated with that engagement, even if they were
introduced in other engagements for this supplier
Business Impact for Findings
Each finding has a business impact value determined from its impact and likelihood (analogous to the severity and
probability for an issue). Possible business impact values are Low (1), Medium (2), High (3), Critical (4), and Show
Stopper (5).
Findings can be associated with an engagement or one of its risk controls.
Engagement-level residual risk
The residual risk for an engagement shows in the Residual Risk field in the Engagement Summary area of the
engagement page.
Depending on how your site is set up, engagement residual risk is determined using one of the following methods.
• By default, an engagement's residual risk is the highest residual risk rating among the issues associated with
the engagement and its controls. If your site is set up to use findings, the business impact of each finding is
considered.
• If your site is set up to calculate residual risk by risk domain: an engagement's residual risk is the highest
residual risk rating for any control on the engagement. In this method, a control’s residual risk is determined
using one of the following:
• Issues or findings associated with the control. Note that this method considers only control- or service-
level, not engagement-level issues or findings.

• The control’s effectiveness level combined with the engagement's inherent risk.
If you are using a residual risk evaluation method that considers issues or findings (in other words, anything but the
domain-based Control effectiveness method): if the engagement has both findings and associated "legacy" issues
from before you enabled the findings feature, both issues and findings are considered in determining residual risk.
The Residual Risk field displays in the summary area of the engagement page once the engagement's residual risk
has been calculated.
• If using the default residual risk calculation, in which engagement residual risk is the most severe residual risk
rating for any issue (or business impact for any finding) associated with the engagement or any of its controls:
engagement residual risk is calculated as soon as an issue for the engagement has a residual risk value (or a
finding has a business impact value). It is updated as needed when related issues (or findings) are added or
their residual risk (business impact) values change.
 Note
If using this method, and the engagement has not yet been approved, users with the appropriate
permissions can manually edit its residual risk rating. You can only manually edit an existing residual risk
rating. If the engagement Residual Risk field is blank, there is no way to edit the field to set it manually.
• If calculating residual risk by risk domain, engagement residual risk is calculated or re-calculated:
• When the original engagement request is completed
• When a change request or review is completed
• In response to changes in the underlying factors (issues, findings, inherent risk, or control effectiveness
levels) that determine the residual risk
Related Information
How to Change the Residual Risk of a Control-Based Engagement Risk Assessment Project [page 202]
Configuring Residual Risk Calculations by Risk Domain
Setting Up Residual Risk for Issue Management Projects
About Inherent Risk in Control-Based Engagement

The Inherent Risk field in the Engagement Summary shows the inherent risk of the engagement based on
answers to questions in the engagement request inherent risk screening questionnaire.
Inherent risk is risk based on the fundamental characteristics of the engagement, such as its commodities,
regions, departments, criticality. When you create an engagement request, the second step of the request is an
inherent risk screening questionnaire that asks you questions about the inherent risk of the engagement based
on the commodities, regions, and departments you selected in the first step. Your organization's control-based
risk assessment process can also score the inherent risk of an engagement directly based on the answers to the
inherent risk screening questionnaire. For example, your organization might score a Yes answer to a question about

whether the engagement involves access to secure facilities as high risk. Once a requester submits the request, the
inherent risk screening questionnaire calculates a numerical score based on its answers.
The Inherent Risk field shows an inherent risk rating based on the answers in the inherent risk screening
questionnaire in the second step of the engagement request. This rating is always a descriptive term that is
associated with an underlying numerical score; for example, High or Low or Critical. The Engagement Summary
only shows the Inherent Risk field in engagements where all of the following conditions apply:
• A template creator in your organization has set up scoring for the inherent risk screening questionnaire.
• You have completed the second step of the engagement request, the inherent risk screening questionnaire, and
have clicked Next to submit it.
If your site uses scoring for the inherent risk screening questionnaire, the inherent risk score might affect different
parts of the control-based engagement risk assessment process, such as who approves the request and the overall
engagement.
If your site is configured to calculate inherent risk by risk domain, you can see the underlying domain ratings on the
engagement page as well as the overall inherent risk rating for the engagement.
Related Information
About Inherent Risk (Commodity) for Control-Based

Engagement Risk Assessment Projects
The Inherent Risk (Commodity) field in the Engagement Summary shows the inherent risk of the engagement
based on the commodities and services involved.
Inherent risk is risk based on the fundamental characteristics of the engagement, such as its commodities, regions,
departments, criticality, and so on. When you create an engagement request, the second step of the request is a
questionnaire that asks you questions about the engagement's inherent risk based on the commodities, regions,
and departments you selected in the first step. Your organization's control-based risk assessment process can also
score the inherent risk of an engagement directly based on the criticality of its commodities to your organization's
operations. For example, your organization might score any engagement for network security services as high risk
because they are critical to your organization's operations and because they always involve granting supplier or
third-party employees access to your organization's computer networks.
The Inherent Risk (Commodity) field shows this an inherent risk rating based on the engagement's commodities,
which you specify in the first step of the engagement request. This rating is always a descriptive term that
is associated with an underlying numerical score; for example, High or Low or Critical. The Engagement
Summary only shows the Inherent Risk (Commodity) field in engagements where all of the following conditions
apply:

• An administrator at your organization has defined commodity-based risk classifications for your site (if not, the
Inherent Risk (Commodity) field never shows).
• You have completed the first step of the engagement request, including selecting commodities, and clicked
Next to submit the business details.
• At least one of the commodities you selected has a risk score.
If the engagement involves multiple commodities with different ratings, it shows the highest (most risky) score.
If your site uses commodity-based inherent risk scores, they might affect different parts of the control-based
engagement risk assessment process, such as who approves the request and the overall engagement.
Requesting a New Engagement and Starting a

Control-Based Risk Assessment
Follow these steps to create an engagement request when you want to engage with an active supplier or third
party for goods or services. The engagement request is the first step in a control-based risk assessment project to
analyze and document the risks involved with the engagement.
Prerequisites
• You must be a member of the Supplier Risk Engagement Requestor group to create an engagement request.
• Only active suppliers are eligible for supplier engagement.
Context
In control-based risk assessment projects, the engagement request involves several steps. In the first step, you fill
out a business details questionnaire with basic information about the engagement such as its title, description, and
the commodities, regions, and departments involved. In the second step, you answer questions about its inherent
risk. In the third step, you select the supplier for the engagement, and in the final step, you review the request and
submit it for approval. Depending on your site's configuration, the step for selecting a supplier might be optional.
The questions you answer in the first and second steps match the engagement to one or more of your
organization's risk controls. Each risk control is associated with one or more assessment questionnaires. In some
cases, some of your company's suppliers have already filled one or more of these assessment questionnaires and
some of the required controls are either pending review in another engagement risk assessment project or are
already effective.
 Note
Behavior concerning review of risk controls depends on your site's configuration for levels of
risk control effectiveness: the value of parameter Expanded levels of risk control effectiveness
(Application.SR.Engagement.ExpandedLevelsOfRiskControlEffectiveness), introduced with
optional feature ARI-9766.

• If No, risk control decisions can be Effective or Ineffective, so an effective risk control is one for which the
review decision is Effective.
• If Yes, there are five possible levels, ranging from Completely effective to Completely ineffective. In
this case, an ineffective control is one with a review decision of Completely ineffective. A risk control is
considered to be at least somewhat effective if the review decision is any of the other four values.
In the third step of the engagement request, you select a supplier. The Due Diligence section of the supplier
selection page lists the risk controls required for the engagement and the suppliers in your site who match at least
one of them because of a previously started or completed engagement risk assessment. Depending on how your
site is set up, the list might be limited to registered suppliers (suppliers with approved registration projects).
• The Recommended suppliers area shows suppliers who already have unexpired matching controls for all of
the required controls in your current engagement request or who are qualified for all of the commodities you
specify in the first step of your engagement request.
• The Other area shows suppliers who match at least one of the required controls for this engagement request.
For each supplier, these areas show the number of matching controls by effectiveness level. Some controls require
a review in every engagement (engagement-level controls or controls that only have internal assessments). Some
controls only require a review once per supplier (vendor-level controls) or once per combination of supplier
and commodities (service-level controls) as long as their associated questionnaires have not expired. Ineffective
controls always require a new review.
You can use this information about matching controls to choose a supplier based on how quickly and smoothly
they are likely to move through the request approval, assessment, and control review processes to final approval
or denial of your engagement. For example, if a supplier has effective controls for all matching controls, your
engagement request has a higher likelihood of being approved, and after that it moves to final approval or denial
of the engagement. If a supplier has matching controls that are pending review, the assessment and control review
processes are already underway. On the other hand, if you want to work with a particular supplier but they do not
have any matching controls, or most of their matching controls require a review for your engagement, you can
set your expectations appropriately about the amount of time it might take to complete the entire engagement
risk assessment process. If a supplier has one or more ineffective controls, that might be an indicator that your
engagement request, or the engagement itself is less likely to get approved.
If your site's configuration allows you to submit a request without selecting a supplier, doing so might be the useful
if:
• The supplier selection step does not show any recommended or fast-tracked suppliers, or if there is no clearly
preferable choice among recommended supplier.
• You are just not certain which supplier to choose at this point.
• Your organization had a separate process for identifying the most suitable supplier after the request is
submitted or even approved.
• Your organization's control-based engagement risk assessment process is entirely internal and does not
require the engagement to specify a supplier at all.
 Note
When creating an engagement request from a non-catalog purchase requisition, the behavior of the
engagement request editing wizard is somewhat different. In this case:
• Some of the questions in the business details questionnaire are automatically answered based on the
values in the requisition.
• By definition, the supplier for the engagement request matches the one on the requisition.

For more information, see Creating a New Engagement Request Triggered by a Non-Catalog Purchase
Requisition [page 144].
When creating an engagement request from a non-catalog purchase requisition, the behavior of the engagement
request editing wizard is somewhat different. In this case:
• Some of the questions in the business details questionnaire are automatically answered based on the values in
the requisition.
• By definition, the supplier for the engagement request matches the one on the requisition.
For more information, see Setting Up Your Site to Create Engagement Requests for Non-Catalog Purchases.
Procedure
1. On the dashboard, choose Create Engagement Request .
The engagement request workflow opens on the Engagement details step.

2. Enter basic information about the engagement in the business details questionnaire and click Next.
 Note
If the engagement details include a question about the name or title of the engagement, note that
the title must have a maximum length of 255 characters and cannot contain these special characters:
\ / : ? “ < > | # + % &.
The Inherent risk screening step opens.

3. Fill out the inherent risk screening questionnaire and click Next.
The Select supplier step opens.

4. (Optional in sites that allow requesters to submit an engagement request with no supplier selected) Choose
the supplier you want to use for the engagement by performing one of the following actions:
a. To choose a supplier with at least one matching control, click the supplier name.
b. To choose a supplier with no matching controls, search for the supplier name, choose the supplier you
want from the search menu options, and click Set Supplier.
5. Click Review Request.
The Review request step opens.

6. Review the information you provided in the request and click Review in the Control Assessments area to view
any new or already-completed assessments for the required controls. Use the Next and Back buttons at the
top of the page to navigate to previous steps and edit information as needed before returning to this step.
• To submit the request, click Submit request.

• To save your current answers and complete the request at a later time, click Save
• To delete the request entirely, navigate back to the first step, the business details questionnaire, and click
Delete.

Results
If you have saved but not submitted the engagement request, it has the status Draft.
If you have submitted the engagement request, it has the status Submitted. The approval process for it depends
on how your company has set up its control-based engagement risk assessment process.
Next Steps
You can view the new engagement request by clicking the Engagement Requests link on the Supplier Risk
dashboard.
If you saved the request in Draft status, click the New Requests tile, then click the name of the request to open it.
If your request is still a draft, you can complete and submit it from here, or you can cancel it if you decide it is no
longer necessary.
If you submitted the request, click the In Progress tile, then click the name of the request to open it and view its
progress. If you submitted the request but the person responsible for sending out assessment questionnaires has
not yet done so, you can still edit it or cancel it. At any time when it is in progress, you can raise or help resolve
issues for the engagement.
After you have submitted the request, approvers review your answers and either approve or deny it.
If you did not select a supplier before submitting the request, you or another stakeholder can edit the request to
add a supplier at any point between your original submission and when the request is approved and the responsible
user sends assessment questionnaires.
After the responsible user sends assessment questionnaires, one of the following things happens:
• If all of the required controls are already effective, final approval for the engagement starts.
• If at least one of the required controls needs to be assessed, the assessment questionnaire recipients receive
email notifications inviting them to fill out and submit the assessment questionnaires.
• If all of the required controls have been assessed, but at least one of them requires a new review for this
engagement, control decision makers start those new reviews.
Related Information

How to Add Approvers for a Control-Based Engagement Request or Engagement Risk Assessment Project [page
158]
How to Edit an Engagement Request for a Control-Based Engagement Risk Assessment (Simple Workflow) [page
162]
Canceling an Engagement Request for a Control-Based Engagement Risk Assessment (Simple Workflow) [page
174]

Creating a New Engagement Request Triggered by a

Non-Catalog Purchase Requisition
Follow these steps to create a new engagement request associated with a non-catalog purchase requisition. Your
organization's Risk Engagement Policy might require this based on characteristics of the requisition.
Prerequisites
You must be a member of the Supplier Risk Engagement Requestor group to create an engagement request.
Context
When the characteristics of a non-catalog purchase requisition require that it be linked to an engagement request,
this triggers a unique workflow. Upon checkout, your purchase requisition is compared to your site's Risk
Engagement Policy. If the requisition requires a corresponding engagement request, you can choose to Create
engagement request or Link existing engagement request.
These steps describe interaction with the engagement when you choose to create a new engagement request.
In control-based risk assessment projects, the engagement request involves several steps. In the first step, you fill
out a business details questionnaire with basic information about the engagement such as its title, description, and
the commodities, regions, and departments involved. In the second step, you answer questions about its inherent
risk. In the third step, you select the supplier for the engagement, and in the final step, you review the request and
submit it for approval.
Procedure
1. From the checkout page for the requisition, choose Create engagement request. This takes you to the
business details page at the start of a new engagement request.
2. On the business details page, initial values for the engagement request name, commodity, region, and
department come from the requisition. These values are not editable until after the engagement has been
saved as a draft. Respond to other questions as needed, then choose Next to move to the next page of the
editing wizard.
 Tip
The engagement request is saved as a draft when you choose Next or Save on the initial business details
page. After that point, each engagement editing page shows a message indicating this engagement is

linked to a requisition, with a link to Show the requisition. This link allows the requisition's creator to return
to the requisition. They can also navigate back to the engagement using a link on the requisition page.
The Inherent risk screening step opens.

3. Fill out the inherent risk screening questionnaire and click Next.
The Select supplier step opens.

4. The supplier shown here matches the supplier you selected for your non-catalog purchase. You cannot choose
a different supplier because this must match the value on the linked requisition.
5. Click Review Request.
The Review request step opens.

6. Review the information you provided in the request. Use the Next and Back buttons at the top of the page to
navigate to previous steps and edit information as needed before returning to this step.
 Tip
At any point before choosing Submit request, you can exit the engagement request without submitting.
• Choose Save to save the engagement request without submitting it for approval.
• Choose Cancel to exit the engagement request without saving any changes made to the draft
engagement on the current page.
• Choose Delete to delete the draft request entirely.
Any of these choices takes you back to your requisition.
7. To submit the request, click Submit request.
Results
If you have submitted the engagement request, you land on the engagement page, which summarizes information
about the engagement request..
• The Linked Events section shows information about the requisition linked to this engagement. From here you
can choose View to open the requisition.
• The approval process for the engagement request depends on how your company has set up its control-based
engagement risk assessment process.
If you have not submitted the engagement request, you land on the requisition page. It shows a link to the
engagement request and indicates that the engagement request has not been submitted.
Next Steps
Once there's an engagement request linked to your requisition, you can navigate back and forth between the
requisition and the engagement request.
• To return from the engagement request to the linked requisition, click the link in the message at the top of the
engagement page.

 Note
• If the owner of the requisition chooses the Show the requisition link, they land on the appropriate page
for the requisition, depending on its status.
• If a user who is not the requisition owner chooses that link, the landing location depends on their
permissions within guided buying.
• To navigate from the requisition to the engagement request, click the link on the requisition page.
You can continue the progress of a submitted engagement request by addressing any tasks assigned to you in the
Tasks area of the engagement page.
Check back on your requisition later. There may be related tasks that others need to perform, associated with
the due diligence required to approve engaging with this supplier for your requested purchase. Any activity for the
engagement request is reflected on the requisition page.
If the Engagement Request Is... The Result Is...
Not yet submitted You (or another authorized user) need to submit the engage-
ment request to trigger any necessary due diligence tasks.
In progress (Submitted) Due diligence is still in progress, so there is no decision yet for
the requisition.
Completed (Fulfilled) Due diligence is complete and engaging with this supplier is
approved, so your non-catalog purchase can proceed.
Denied The engagement remains associated with the original requisi-

tion but the purchase cannot proceed. You can try again by
Canceled
creating a new requisition and associating it with a different
engagement request.
Deleted The requisition no longer has an associated engagement re-

quest. Via checkout, the Create engagement request and Link
an existing engagement request buttons are again available.
Linking an Existing Engagement Request to a Non-

Catalog Purchase Requisition
Follow these steps to link an existing engagement request to a non-catalog purchase requisition. Your
organization's Risk Engagement Policy might require this based on characteristics of the requisition.
Context
When the characteristics of a non-catalog purchase requisition require that it be linked to an engagement request,
this triggers a unique workflow. Upon checkout, your purchase requisition is compared to your site's Risk
Engagement Policy. If the requisition requires a corresponding engagement request, you can choose to Create
engagement request or Link existing engagement request.

These steps describe interaction with the engagement when you choose to link an existing engagement request.
For example, other users might have created engagement requests directly in SAP Ariba Supplier Risk that are not
yet linked to any requisition.
 Note
Any individual engagement request can only be linked to one requisition.
Procedure
1. From the checkout page for the requisition, choose Link existing engagement request.
2. A popup lists available engagement requests that match your requisition's supplier, commodity, and region,
whose statuses would allow them to be linked.
• Completed status: due diligence activities are complete. This supplier has already been vetted for the
commodity and region matching your purchase request.
• If the engagement request is not completed yet, due diligence activities are in progress. These need to be
completed before your purchase can proceed.
Engagements that are neither in progress nor complete can't be selected so aren't listed here. This includes
engagements with statuses such as Draft, In Edit, or Denied.
3. Use the radio buttons to select the engagement request you want to link, and choose Link.
Results
The engagement page opens, showing a summary of information about the engagement request. Actions you can
take here depend on your permissions within this engagement request. Generally, if you are not its creator and you
do not belong to its project owner group, you can view the information but not make changes.
• At the top of the page is a message indicating that this engagement request is linked to a requisition, with a link
you can use to navigate back to it.
• The Linked Events section shows information about the requisition linked to this engagement. From here you
can choose View to open the requisition.
• If you've linked to an engagement request that is not yet completed: The approval process for an engagement
request depends on how your company has set up its control-based engagement risk assessment process.
Next Steps
Once there's an engagement request linked to your requisition, you can navigate back and forth between the
requisition and the engagement request.
• To return from the engagement request to the linked requisition, click the link in the message at the top of the
engagement page.

 Note
• If the owner of the requisition chooses the Show the requisition link, they land on the appropriate page
for the requisition, depending on its status.
• If a user who is not the requisition owner chooses that link, the landing location depends on their
permissions within guided buying.
• To navigate from the requisition to the engagement request, click the link on the requisition page.
You can continue the progress of a submitted engagement request by addressing any tasks assigned to you in the
Tasks area of the engagement page.
If the linked engagement is not in a Completed status, check back on your requisition later. There may be related
tasks that others need to perform, associated with the due diligence required to approve engaging with this
supplier for your requested purchase. Any activity for the engagement request is reflected on the requisition page.
If the Engagement Request Is... The Result Is...
In progress (Submitted) Due diligence is still in progress, so there is no decision yet for
the requisition.
Completed (Fulfilled) Due diligence is complete and engaging with this supplier is
approved, so your non-catalog purchase can proceed.
Denied The engagement remains associated with the original requisi-

tion but the purchase cannot proceed. You can try again by
Canceled
creating a new requisition and associating it with a different
engagement request.
How to Upgrade an Engagement Project to the Latest

Template Version
When a new template version is available for control-based engagement risk assessment projects, the engagement
projects need to be updated to the latest template. Project owners are notified about template upgrades by email
notifications if your organization's customer administrator configured them, by their Actions tile if the action
queue is enabled, and by opening the engagement project that needs the template upgrade.
Prerequisites
You must be one of the following:
• The project owner

• A member of the Supplier Risk Engagement Governance Analyst user group
• A member of the Supplier Risk Engagement Requestor user group and a member of the Project Owner
project group
• A member of the Supplier Risk Engagement Expert user group and a member of the Project Owner project
group

Context
When an engagement project is selected for upgrade, the template upgrade activity can be initiated from the
Action menu on the engagement page. On the successful completion of the template upgrade, the engagement
project is moved into an edit (if it was in progress before the upgrade), or into a change request (if it was completed
before the upgrade). Review the business details and inherent risk screening documents, and then submit the
request details, before proceeding. Completing the edit or the change request is required to apply the changes
from the new template to the engagement project.
Procedure
1. Go to the Supplier Risk dashboard, click the Engagement Requests tile, and then click the In Progress or
Completed link.
 Tip
If the action queue is enabled, you can click it to go to the engagement project, or you can access the
engagement project through the email notification, if your customer administrator configured them.
2. Locate the engagement project and click its name to open it.
3. Click Action Upgrade to upgrade to the latest template.
 Note
If Upgrade isn’t in the Action menu, the engagement project isn’t available for a template upgrade.
The upgrade could take some time. By default, template upgrade processes asynchronously: while it's in
progress, you can take other actions.
Once the upgrade has started, you can't stop it. If the engagement project was in status In Progress before
the upgrade, you can't revert the edit but you can make changes after you complete (submit) the edit. If the
engagement project was in status Completed before the upgrade, you can edit the change request, or you
can complete the change request and then cancel it.
An email notification is sent to the Project Owner project group that the template upgrade was either a
success or failure. If the upgrade failed, repeat step 3 one more time. If the upgrade fails again, the Upgrade
option is no longer in the Action menu and you should contact your administrator to resolve the failure.
When the template is finished upgrading, you’re taken to either the engagement project in edit mode, if it was
in progress before the upgrade, or into a change request if the engagement project was completed before the
upgrade.
4. Review the business details and inherent risk screening documents, and then submit the request details so the
engagement project is updated to the latest template. You need to complete (submit) the edit or complete the
change request (initial and final approval phases) for the template upgrade to be completed.
 Note
When the upgrade is complete, you can find the template upgrade activity on the Engagement History
page. Click the Activity date for the template upgrade on the Engagement History page and view the

Activity: Template upgrade summary section. For more information on viewing engagement history, see
Viewing Engagement History [page 130].
Results
An email notification is sent to the Project Owner project group, and the Change Request Owners project group
(if applicable) when the edit or change request created by the template upgrade is completed.
Related Information
Viewing Engagement History [page 130]

Enable asynchronous processing for template upgrade [page 366]
How to Change the Project Owner on the

Engagement Page of a Control-Based Engagement
Risk Assessment Project
Project owners have a number of important permissions in projects and receive certain email notifications for
project activity. If the people in your organization who manage an engagement risk assessment project over
time are different from the person who requested the engagement, you can change the project owner from the
engagement page.
Prerequisites
The self-service site configuration parameter Enable change project owner action on the engagement page
(Application.SR.Engagement.ChangeOwnerAction) enabled by default.
To change the project owner of a control-based engagement risk assessment project from the project page, you
must have permission to view its engagement page.
You can only change project owners to a member of the Supplier Risk Engagement Requestor or Supplier Risk
Engagement Governance Analyst group.
Context
By default, the person who creates the project (the requester) is the project owner. The project owner
automatically has special permissions in the project: they can view a control-based engagement risk assessment

project regardless of other permissions, edit the engagement request, and so on. They also always receive certain
email notifications about project activity. You can change the owner of an engagement risk assessment project so
that after the request is submitted, the appropriate person in your organization is the project owner and shows in
the Owner field on the engagement page.
If a user other than the person who creates the project (the requester) is intended to be the project owner, this
change doesn’t take effect until the engagement project is submitted at least once.
Only one person at a time can be the owner of a project. You can also add people to the Project Owner project
group [page 152]. Members of the Project Owner project group can view the project and complete any tasks
assigned to that group but aren’t the actual project owner.
You can’t remove the explicit project owner.
You can change the owner of a control-based engagement risk assessment project from the engagement page
when the project is any phase, including after the project is finally approved.
Procedure
1. On the Supplier Risk dashboard, click the Engagement Requests link.

2. On the New requests, In progress, or Completed tile, locate the engagement risk assessment project for
which you want to change owners.
3. To open the engagement page, click the project name.
4. Choose Action Manage team .

5. On the Manage team popup, click the pencil icon ( ) next to Engagement owner, search for the person you
want to be the engagement owner and select their name.
 Note
If a user profile is deactivated, the user is no longer visible in the Manage team popup.
6. When you’re done, click Save and then Confirm.
Results
On the engagement page, the Requester field continues to show the name of the original requester, but the Owner
field now shows the new project owner. The new owner receives an email notification letting them know that
they’ve been added to the project as an owner. The new owner is also automatically added to the Project Owner
project group. If it didn’t before, the engagement risk assessment project now shows in the Engagement Requests
area of their Supplier Risk dashboard.
If your site uses a dedicated assignee project group for issue management projects, when someone creates
an issue for a control-based engagement risk assessment project, the current membership of its Project
Owner project group is automatically copied to the issue assignee project group in addition to any template-
defined membership. This copy is a one-time operation at issue creation. There’s no ongoing synchronization in
membership between the engagement risk assessment Project Owner group and assignee groups in its associated
issues management projects.

If you or another user wants to change project owners again, you can do so anytime.
Related Information
How to Manage Team Membership of the Project Owner Group in a Control-Based Engagement Risk Assessment
Project [page 152]
About requesters, project owners, and members of the Project Owner and Change Request Owners project teams
[page 133]
How to Manage Team Membership of the Project

Owner Group in a Control-Based Engagement Risk
Assessment Project
Members of the Project Owner project group on the project team of a control-based engagement risk assessment
project can view the engagement and complete any tasks assigned to that group.
Prerequisites
The self-service site configuration parameter Enable manage project team action on the engagement page
(Application.SR.Engagement.ManageProjectTeamAction enabled by default.
To add or remove a team member or global user group in the Project Owner project group of a control-based
engagement risk assessment project from the engagement page, you must have permission to view it.
You can add or remove any global user group or any member of the following groups from the Project Owner
project group:
• Supplier Risk Engagement Requestor

• Supplier Risk Engagement Analyst
Context
Members of the Project Owner project group can view a project regardless of their other permissions. Depending
on how your control-based engagement risk assessment process is set up, they might also be approvers, task
owners, or have other roles in the project. Depending on how issue management projects are set up in your site,
members of the Project Owner group of a control-based engagement risk assessment project might also become
assignees for any issues created for it.

You can add or remove team members and global user groups in the Project Owner group of a control-based
engagement risk assessment project when it is in any phase, including after the project is finally approved.
 Note
Users can’t remove themselves (the currently logged in user), or the explicit project owner.
Adding or removing global user groups, adds or removes the group. Example: USER_A is a team member of the
Project Owner group individually, and is also a member of GROUP_B global user group. If GROUP_B is removed
from the Project Owner group, the individual team member, USER_A, isn’t removed. Only the GROUP_B global
user group is removed.
Procedure
1. On the engagement page, choose Action Manage team .
2. On the Manage team popup, click the pencil icon ( ) next to Project team, search for the people or global
user groups that you want to add to the Project Owner group, and select them. Uncheck those that you want
to remove.
Results
The team members you added to the Project Owner group of the engagement risk assessment project can
perform any tasks assigned to that group. They receive an email notification letting them know that they’ve been
added to the Project Owner group in the project. If it didn’t before, the engagement risk assessment project now
shows in the Engagement Requests area of their Supplier Risk dashboards.
The team members you removed from the Project Owner group of the engagement risk assessment project no
longer have any of the permissions associated with the Project Owner group. They receive an email notification
letting them know that they’ve been removed from the Project Owner group in the project.
If your site uses a dedicated assignee project group for issue management projects, when someone creates an
issue for a control-based engagement risk assessment project, the current membership of its Project Owner
project group is automatically copied to the issue assignee project group in addition to any template-defined
membership. This copy is a one-time operation at issue creation.
You can add or remove team members or global user groups in the Project Owner group at any time. Note that
there currently is no ongoing synchronization in membership between the engagement risk assessment Project
Owner group and assignee groups in its associated issues management projects after an issue is created.

Related Information
About requesters, project owners, and members of the Project Owner and Change Request Owners project teams
[page 133]
Project [page 150]
Viewing and Managing Your Tasks for an Engagement

Risk Assessment Project
You can see and manage all of your tasks in a control-based engagement risk assessment project in one place using
the engagement task list.
If the enhancements to engagement task management feature (ARI-6919) is enabled in your site, there is an
engagement task list for every engagement risk assessment project in which you own uncompleted tasks either
through assignment to you as an individual or because you are a member of a project group that owns the task
To open the task list for an engagement project, click the number of your tasks or group tasks in the My tasks/
Group tasks column of the dashboard engagement list. That column shows the number of uncompleted tasks that
are assigned to you individually and the number of uncompleted tasks that are assigned to project groups to which
you belong, separated by a forward slash (/).
 Note
If you are a member of the Supplier Risk Engagement Governance Analyst group and you are not assigned to
a task individually or as a member of another group, the 0 for Group tasks is a link. This allows you to see a list
of all tasks for the engagement.
In the engagement task list, tasks are organized on four tabs:
This Tab... Shows These Tasks...
Due within 7 days Uncompleted tasks that are overdue or are due within the next
7 days. Tasks can only appear on this list if they are configured
with due dates in the project template.
My tasks Uncompleted tasks that are assigned to you as an individual.
Group tasks Uncompleted tasks that are assigned to a project group of

which you are a member. If you belong to the Supplier Risk
Engagement Governance Analyst group, this tab shows all
tasks in the engagement.
Completed Completed tasks to which you are assigned either as an indi-

vidual or a member of a project group.
Note that the same task can show on both the Due within 7 days tab and either the My tasks tab or the Group
tasks tab.
Once a task is active, you can perform the following actions on it from the engagement task list:

Action To Do Tasks Control Review Tasks Approval Tasks
View the task by choosing X X X

View this task on the action
menu
Start the task by choosing X X

Start this task on the action
menu
Approve or deny the en- X

gagement request, a supple-
mental engagement question-
naire, the overall engagement
project, or (in sites that use
the advanced archiving work-
flow) an archive request by
choosing Approve/Deny on
the action menu
Assign or reassign the task to X X

yourself [page 188] by choos-
(To Do tasks on question-
ing Assign to me on the ac-
tion menu naires in the engagement
project only)
Assign or reassign the task X X

[page 188] to another person
(To Do tasks on question-
in your organization or back
to the project group that owns naires in the engagement
the task by choosing Assign project only)
on the action menu
 Note
Since the To Do task for sending assessments is a standalone To Do task rather than a To Do task on an
engagement project questionnaire, you cannot assign it.
 Tip
If you are a member of the Supplier Risk Engagement Governance Analyst group, you have permission to see
all engagements and to assign or reassign all eligible tasks, even if you are not a task owner or control decision
maker for them. The task counts in the My tasks/Group tasks column reflect your ownership of tasks, but you
can always access the full list of tasks available for you to assign.
 Example
If you do not own any tasks, you see a task count of 0/0 in the My tasks/Group tasks column. In this
case, the 0 for Group tasks is a link. When you click on it, the engagement task list shows all tasks for the
engagement.
If your user owns one task but no tasks are assigned to you as a group member, the task count would be
1/0. In this case, both 1 and 0 would be links.
Clicking the navigation icon ( ) returns you to the dashboard engagement list.

Related Information
How to Assign or Reassign a Control Review or Questionnaire To Do Task for an Engagement [page 188]
Using the Action Queue [page 124]
How to Manage Team Membership of the Change

Request Owners Project Group
Members of the Change Request Owners project group are the only users who can cancel a change request in
progress for a control-based engagement risk assessment project. They can view the engagement and complete
any tasks assigned to that group.
Prerequisites
To enable adding or removing team members or global user groups in the Change Request Owners project
group from the engagement page, a member of the Customer Administrator group in your organization must
enable the change request feature using the self-service site configuration parameter Allow change requests
(Application.SR.Engagement.AllowChangeRequest). For information about how to manage parameters,
see Intelligent Configuration Manager Administration.
To add or remove team members in the Change Request Owners group of a control-based engagement risk
assessment project from the project page, you must be both of the following:
• A member of the Project Owner or Change Request Owners project group for the engagement project
• A member of the Supplier Risk Engagement Requestor user group
The following global user groups, or individual users belonging to any of them, are eligible to be added to the
Change Request Owners project group:

Context
Members of the Change Request Owners project group can view an in-progress change request regardless of
their other permissions. Depending on how your control-based engagement risk assessment process is set up,
they might also be approvers, task owners, or have other roles in the project. Depending on how issue management

projects are set up in your site, members of the Change Request Owners group of a control-based engagement
risk assessment project might also become assignees for any issues created for it.
You can add or remove team members and global user groups in the Change Request Owners group of a
control-based engagement risk assessment project in any phase.
 Note
Users can’t remove themselves (the currently logged in user), the user who created the change request, or the
"on behalf of" user if one was specified.
Adding or removing global user groups, adds or removes the group. Example: USER_A is a team member of
the Change Request Owners group individually, and is also a member of GROUP_B global user group. If
GROUP_B is removed from the Change Request Owners group, the individual team member, USER_A, isn’t
removed. Only the GROUP_B global user group is removed.
Procedure
1. On the engagement page, choose Action Manage team .

2. On the Manage team popup, click the pencil icon ( ) next to Change request team, search for the people or
global user groups that you want to add to the Change Request Owners group, and select them. Uncheck
those that you want to remove.
Results
The team members you added to the Change Request Owners group of the engagement risk assessment
project can perform any tasks to which that group is assigned. They receive an email notification letting them know
that they've been added to the Change Request Owners group in the project. If it didn’t before, the engagement
risk assessment project now shows in the Engagement Requests area of their Supplier Risk dashboards.
The team members you removed from the Change Request Owners group of the engagement risk assessment
project no longer have any of the permissions associated with the Change Request Owners group. They receive
an email notification letting them know that they’ve been removed from the Change Request Owners group in
the project.

How to Add Approvers for a Control-Based
Engagement Request or Engagement Risk
Assessment Project
Depending on its setup, an engagement request or an entire control-based engagement risk assessment project
might allow certain people to add ad hoc approvers based on their judgment of the current project's requirements
rather than using a template-defined approval flow.
Prerequisites
You can only add approvers to a control-based engagement request or engagement risk assessment project if there
are no approvers defined for the relevant task in the template.
Context
When an approval task for an engagement request has no approver assigned via the engagement template, certain
users can add "ad hoc" approvers.
• A user belonging to the Supplier Risk Engagement Governance Analyst group

A member of the Project Owner project group for the engagement
You can add either individual users or system user groups such as Supplier Risk Engagement Expert as approvers.
If you choose a user group, the first member of the group to respond completes the approval task. If you select
multiple users or groups, they are all added as parallel approval nodes in the approval flow.
You can also use this procedure to add reviewers to review tasks for which there is no review flow defined in the
template. However, note that this information applies only to review tasks that a template creator has added to
the control-based engagement request process. It does not apply to risk control effectiveness reviews, which are
always automatically assigned to the decision maker for the control.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the In
Progress tile, locate the engagement, and click its name.
2. Locate the engagement and click its name.
3. In the Pending Tasks list, locate the approval task and click Add Approvers.
4. To locate the approvers you want to add, enter group or user names in the Search field.
5. Check the users and groups you want to add.
6. Click Update.

Results
The users or user groups are added to the approval flow for the current task. When the task starts, those users,
or the individual members of those user groups, receive notifications that they need to approve the engagement
request or the entire control-based risk assessment project.
Related Information

How to Approve or Deny a Request for a Control-

Based Engagement Risk Assessment
If you are in the approval flow for an engagement request in a control-based engagement risk assessment project,
you can approve or deny it.
Context
Once a requester submits an engagement request and its approval flow starts, it has In Progress status for the
request approval phase.
As the approver, if you believe that an engagement request requires further investigation or mitigation, in addition
to denying it, you also have the option of approving it but raising an issue for it.
Procedure
• Click the link in the approval task email notification to open the engagement request.
• Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the In
2. In the Request Details area, review the answers to the engagement request filters questionnaire and the
inherent risk screening questionnaire in the engagement request.
3. In the Pending Tasks list, for the approval task, click Approve/Deny.

4. In the top right corner of the page, perform one of the following actions:
• To approve the request, click Approve.

• To deny the request, click Deny.
5. Enter a comment to the requester explaining your reasons and click Confirm approval or Confirm denial.
Results
If you are the final approver and you approve the request, the control-based risk assessment project moves
to In Progress status for the evidence and control phase and the assigned person in your organization sends
questionnaires related to the engagement's required controls to suppliers. If you deny the request, it moves to
Request Denied status and no further action can be taken.
 Note
If you are using the basic approval workflow, after completing the Request Approval phase, the engagement
request moves immediately to Completed status.
Next Steps
If the request is denied, and you are either an approver or a member of the Supplier Risk Engagement
Governance Analyst group, you can resubmit the approval. Resubmitting the approval restarts the approval flow
from the beginning so that approvers can make a different decision. To resubmit the approval, on the engagement
page, click View to open the approval task details page, then click Resubmit.
You can only resubmit the approval for a denied engagement request. If the request is approved and you no longer
believe it is needed, someone in your organization who has the appropriate permissions can cancil it [page 174]
instead.
Related Information

158]
Sending Assessment Questionnaires for a Control-Based Engagement Risk Assessment Project (Simple Workflow)
[page 177]

How to Change the Supplier Contact on the
Engagement Page (Simple Workflow)
The recipient of external assessment questionnaires and notifications can be changed on the engagement page in
control-based engagement risk assessment projects using the simple workflow. Changing the recipient doesn't add
or remove any of the supplier's existing contacts.
Prerequisites
The advanced send assessments workflow self-service parameter, Enable advanced send assessment workflow
for engagement projects (Application.SR.Engagement.EnableAdvancedSendAssessment), must not be
enabled in your site.
To change the recipient of assessment questionnaires for a control-based engagement risk assessment, you must
be the owner of the To Do task for triggering the evidence and control process in the project.
Context
You can change the recipient of external assessment questionnaires on the engagement page if you're using the
simple workflow for sending assessments.
After the assessments are sent out, the recipient can only be changed by updating the request in a modular
questionnaire.
Procedure
1. On the Supplier Risk dashboard, click Engagement requests.

2. Click the name of your engagement request.
3. Click the Change recipient button in the Supplier section.
 Tip
The button is grayed out if the assessments have already been sent, or if there's no contact to change.
4. In the Change recipient popup, select the supplier contact that you want to receive the assessments.
 Tip
If there isn't a primary contact for the supplier, an external assessment isn't sent.
5. Click OK.

Results
The selected supplier recipient appears as the Recipient name in the Supplier section on the engagement page.
When the external assessment is sent, the selected supplier recipient appears as the Assignee in the Risk
Assessments section on the engagement page.
How to Edit an Engagement Request for a Control-

Based Engagement Risk Assessment (Simple
Workflow)
As a project owner or governance expert in a site configured without advanced editing and canceling, you can edit
an engagement request for which external assessments have not been sent. In some cases this can include adding
or changing the engagement supplier.
Prerequisites
To edit a submitted or approved engagement request, you must be the project owner, a member of the Project
Owner project group, or a member of the Supplier Risk Engagement Governance Analyst group.
Context
This simple editing procedure applies to sites not configured for advanced editing and canceling. In this case, you
can edit an engagement request when it is in Submitted or Pending Assessment status. Once the responsible user
has sent at least one assessment for the required controls and the control-based engagement risk assessment
project has moved to In Assessment status, you can no longer edit the engagement request.
If your site configuration allows the requester to submit the request with no supplier selected, and your
organization's processes require that the supplier eventually be added to the engagement, you do so up until
the first assessment is sent by editing the request.
Procedure
2. In the upper right corner of the engagement page, choose Action Edit Request .
3. Using the Next and Back buttons, to navigate to different steps of the request and edit information as needed.

4. Navigate to the final review step and click Submit request.
Results
Depending on the changes you made and your organization's control-based engagement risk assessment process,
the request might now be fast-tracked for final approval, require assessment for more or fewer required risk
controls, or see no changes.
Related Information

158]
Canceling an Engagement Request for a Control-Based Engagement Risk Assessment (Simple Workflow) [page
174]
[page 163]
How to Edit an Engagement Request for a Control-

Based Engagement Risk Assessment (Advanced
Workflow)
As a project owner or governance expert in a site configured for advanced editing and canceling, you can edit an
engagement request to add or change details at any point before final approval. In some cases this can include
adding or changing the engagement supplier.
Prerequisites
To edit an engagement request:
• You must be the project owner, a member of the Project Owner project group, or a member of the Supplier
Risk Engagement Governance Analyst group.

• The request must not be in In edit status with a different user. If a request was saved during the edit process,
editing of that request can only be continued by the original editor.
Context
This advanced editing procedure applies to sites configured for advanced editing and canceling. In this case, you
can edit an engagement request at any point before final approval, including requests that were denied.
Previously submitted requests change to status In Edit until they are re-submitted. While a request is in In Edit
status:
• Assessments cannot be sent.

• Evidence collection and control review tasks for the request can proceed.
Procedure
2. In the upper right corner of the engagement page, choose Action Edit request . A confirmation message
lists general rules of the editing process, and requires entry of Reason text to continue.
3. Use the Next and Back buttons to navigate to different steps of the request and edit information as needed.
When editing a previously submitted request:
• Changes to business details may cause screening questions to be added or removed. When you click Next
after making such changes, business detail changes are saved and the number of questions added and
removed is noted on the Inherent Risk Screening Questions page.
• Changed answers to the Inherent Risk Screening Questions may cause risk controls to be added or
removed. When you click Next after making such changes, changes are saved and the number of controls
added and removed is noted on the supplier selection page.
• On the supplier selection page:
• If this request already has a supplier but external assessments have not been sent, you can change the
supplier.
• If this request has a supplier and external assessments have already been sent, you cannot change the
supplier.
• If your configuration allows this, the request being edited may not already have a supplier: in this case,
you can select a supplier during edit.
• Each section of the Review Request page highlights additions and changes. Completed tasks that are no
longer relevant are shown on a Withdrawn tasks tab in that section of the review page.
4. If you need to exit an In Edit request without submitting it, you can:
• Choose Save at any point to save your changes without submitting. The request is included in the list of In
Process engagement requests, with status In Edit.
• To continue editing, the same user can return to Step 1 and re-open the request, with a choice to
continue editing or to open the summary page for the engagement request.
• Other authorized users can view a request whose status is In Edit, and complete tasks other than
Send Assessments in the due diligence workflow, but they cannot take over the editing.

• Choose Revert Edit to undo all changes made while this request has been in In Edit status. If you click OK
to the confirmation message, the request reverts to its pre-edit state.
Results
Depending on the changes, any tasks that have progressed during the edit, and your organization's control-based
engagement risk assessment process, appropriate tasks are activated and corresponding notifications are sent.
For a more detailed discussion of how tasks, assessments, and controls are treated during edit and after the edited
engagement request is re-submitted, see Treatment of tasks, controls, and assessments during and after edit in
About Editing a Previously Submitted Engagement Request (Advanced Editing Only) [page 165].
Related Information

158]
Canceling an Engagement Request for a Control-Based Engagement Risk Assessment (Advanced Workflow) [page
175]
162]
About Editing a Previously Submitted Engagement

Request (Advanced Editing Only)
An engagement request can only be edited by one user at a time. Significant changes to an engagement request
may cause downstream effects such as adding new controls, removing controls for which assessments might
already have been sent, or reactivating approval tasks.
This topic applies only to sites configured for advanced editing and canceling of engagement requests.

Working with a Request That Is Currently Being Edited
The following table summarizes actions users can take for an engagement request whose status is In Edit.
Generally, all existing tasks associated with the request can continue, with the exception that assessments cannot
be sent.
Other Assigned User with Permis-

Action Editor of the Request sions
Save during edit  Not applicable - only one editor
Reopen a saved In Edit request for further editing  (upon opening, can choose to edit X (upon opening, sees the summary
or to view summary page) page only)
Send assessments No user can send assessments while an engagement request is being edited
Complete approval tasks assigned to this user  
Complete internal assessments assigned to this  

user that were sent before the request was
opened for editing
Complete control review tasks assigned to this  

user
Significance of Changes
When you submit an edit to an engagement request, the proposed changes are evaluated for significance.
• An engagement request has significant changes when they result in the addition of one or more controls.
• If you change the response for an attribute or question defined in the project template with the supplier field
mapping project.reapprove, this change is considered insignificant requiring approval.
• Removal of a control can be considered significant or insignificant requiring approval,
depending on the setting for the parameter Treat control removal as a significant change
(Application.SR.Engagement.TreatControlRemovalAsSignificant) [page 404].
• Changes to the request are considered insignificant when they do not result in addition or removal of controls.
• A change of supplier is always treated as a significant change, even if no controls are added or removed.
• If a new commodity was added, triggering re-review for a service-type control specifically for this new service:
this is not the addition of a control and thus is not considered a significant change. The new service alone does
not re-trigger the approval task..
The result of this evaluation affects the downstream due diligence tasks for the engagement request. When the
edited request is submitted:
• If the changes are significant, all approval tasks for the engagement request are reactivated.
• If the changes are insignificant requiring approval, the Request Approval phase is reactivated. Which tasks
within that phase are reactivated depends on the setting for the parameter Reopen all initial approval phase
tasks for insignificant changes requiring approval
(Application.SR.Engagement.ReopenAllInitialApprovalPhaseTasksForInsignificantChanges
RequiringApproval) [page 394].
• If the changes are insignificant:

• If the engagement request was previously denied, all approval tasks are reactivated.
• Otherwise, approval tasks are not reactivated.
Audit Trail Information Captured
Changes made to the engagement request are captured for auditing purposes.
For engagement request edits, the information captured includes:
• Editing user and the Reason comment entered at the start of the edit
• Timestamp when request was opened for edit
• Business detail changes
• Inherent risk screening questions added and removed
• Changed responses to Inherent risk screening questions
• Risk controls and assessments added and removed
• Changes to supplier selection
• If the edit is canceled (reverted), this action is captured with a timestamp.
When an engagement request is canceled, the information captured includes:
• Details of the canceled request

• User who canceled the request and the Reason comment entered for the cancelation.
Treatment of Tasks, Controls, and Assessments During and After Edit
When you edit a previously submitted engagement request, the associated tasks, controls, and assessments may
be affected by the changes. The following table summarizes the treatment of existing, new, and removed tasks,
assessments, and controls through the editing process.
Type of Task Approvals Send Assessments Evidence Collection Control Review
Existing tasks Start of editing: Current task statuses are captured. Send assessments task deactivated.
During edit
All open tasks can pro- Send assessments is All open tasks can pro- All open tasks can pro-
ceed. deactivated and so can- ceed, so if assessments ceed.
not proceed. were already sent, sup-
pliers can submit evi-
dence.
Upon re-submit

Approval tasks may If there are (new or Evidence collection Engagement-type con-
be reactivated, and no- previously existing) as- tasks have the same trols: re-trigger control
tifications sent to ap- sessments to be sent, status as before the review tasks.
provers, depending on the Send Assessments edit, or the status cor-
Service-type controls:
the significance of the task is reactivated, and responding to any activ-
If a new commodity was
changes to the engage- notification is sent to ity that has taken place
added and control did
ment request. the user assigned to during the edit.
not already have an ef-
the Send Assessments
Evidence already col- fectiveness status for
task.
lected is retained. it: trigger control review
for this commodity.
Vendor-type controls:
If review pending: re-
mains active during
edit. If previously re-
viewed and not pend-
ing: not reactivated,
even if changes to the
engagement request
were significant.
If already reviewed, con-

trol review status is re-
tained.
Added controls, as- Not applicable: Approval tasks and the Send Added assessments, controls, and their related
sessments, and tasks Assessments task were created when the en- tasks are processed as appropriate, similar to a
gagement request was originally submitted new engagement request.

Controls, assess- Not applicable: Appro- Not applicable: Send Removed assessments Removed controls are
ments, and tasks no val task may be re- Assessment task may
are no longer visible no longer visible in the
longer relevant to the activated in response be reactivated in re-
in the Assessments Controls area of the en-
changed engagement to changes, but not response to changes, but
request moved. not removed. area of the engagement gagement page.
page.
If the control is not re-
If the assessment is quired for any other en-
not required for any gagement request, the
other engagement re- related control review
quest, the related task task is Withdrawn and
is Withdrawn and ap- appears on that tab.
pears on that tab. Noti-
If the control is still re-
fication is sent to the
quired for another en-
supplier.
gagement request, this
If the assessment is task is retained and visi-
still required for another ble on summary pages
engagement request, it for those engagement
is retained and visible requests.
on summary pages for
Corresponding notifica-
those engagement re-
tions sent to stakehold-
quests.
ers.
Related Information
[page 163]
About Working with an Engagement While Updates

Are in Process
If change processing for an engagement does not complete immediately, visual cues indicate its state and offer
guidance for what you can do next.
Certain actions on an engagement require processing to handle results of the action. For example, after you
Submit request for an engagement edit that involves a significant change, the system might need to reactivate a
number of phases and tasks. During this time, interaction with the engagement is limited so that users can't make
additional changes that conflict with the ones being processed.
 Note
The behavior described below relies on two parameters, both enabled by default. If a Customer Administrator
has disabled one or both, the corresponding visual feedback described in this topic does not apply.

Parameter Description
Manage user interactions during send assessments Enables the changes to the user interface and behavior re-
processing lated to the Send Assessments task.
(Application.SR.Engagement.SendAssessment
sProcessingBehavior
Manage user interactions during update processing Enables the changes to the user interface and behavior re-
(Application.SR.Engagement.UpdateProcessi lated to other actions such as submitting a new or edited
ngBehavior engagement request.
If the update processing is not virtually immediate, visual cues and informational messages on the engagement
page describe the state of the engagement or one of its tasks after you
• Submit an engagement request, change request, or review, or an edit to one of these projects
• Start the Send Assessments task
• Select Action Cancel request , Cancel change request, or Cancel review
• Process a task on the engagement, such as To Do, approval, or control review.
You also might see them when you first open an engagement, if someone else has recently taken one of these
actions.
The indicators include:
• A descriptive badge next to the title of the engagement
• A banner message at the top of the engagement page

• Changes in the enablement status of the Action menu
• (For task processing) The word Processing to the right of the task, in place of the Start button
They describe the state of the engagement or task
• While updates are in process: to clarify why, for example, some Action menu choices are disabled.

• When the updates are complete: at this point you may need to Refresh the page for current information, or
Retry if the updates failed for some reason.
Table 5: Engagement Page Appearance During Update Processing

While Processing... Visual Change Is... Users Are Prevented From...
Send assessments task Badge next to engagement name: Editing an engagement request
Processing Send Assessments task
Canceling an engagement, change re-
The word Processing replaces the Start quest, or review
button for the task
Submit request or Submit review for Engagement status and badge next to Completing tasks
a new or edited engagement request,
engagement name both say: Processing
change request, or review Using the Action menu
Changes
An Action menu item such as Cancel
review
A task listed in the Tasks area of the en- The word Processing replaces the Start Interacting with that task
gagement page button for the task
After Processing Completes
When processing completes for a task listed in the Tasks area:
• The task disappears from the Pending tasks tab and is listed on the the Completed tasks tab.
• The Processing notation for the task is replaced with a View button, allowing you to see the history of that task.
• You can use the Refresh Status link at the top of the Tasks list to refresh this area with current information.
When processing completes for Send Assessments or other engagement-level actions:
• The Status field reflects the current state of the engagement.

• The Processing Changes or Processing Send Assessments task badge disappears.
• (If you opened the engagement or remained on the engagement page while updates were in process) A banner
message appears at the top of the screen. The message includes a Refresh Status link you can use to show the
current information.
Related Information
Manage user interactions during send assessments processing [page 388]

Manage user interactions during update processing [page 389]

Managing an Engagement After an Update
Processing Error
When you take action on an engagement request, such as submitting, editing, or canceling, this might require
updates to tasks and controls. If the updates don't finish successfully, an authorized user can retry the action.
 Note
The behavior described below relies on two parameters, both enabled by default. If a Customer Administrator
has disabled one or both, the corresponding visual feedback described in this topic does not apply.
Parameter Description
Manage user interactions during send assessments Enables the changes to the user interface and behavior re-
processing lated to the Send Assessments task.
(Application.SR.Engagement.SendAssessment
sProcessingBehavior
Manage user interactions during update processing Enables the changes to the user interface and behavior re-
(Application.SR.Engagement.UpdateProcessi lated to other actions such as submitting a new or edited
ngBehavior engagement request.
You might encounter a failure message:
• if you remain on the engagement page after clicking Submit request, for example, and the updates encounter
a problem
• when you open an engagement for which an action (yours or someone else's) has failed.
When update processing encounters a problem:
• The Status of the engagement returns to the last state before the processing encountered a problem.
• A banner message at the top of the page gives some information about the problem.
• For a Send Assessments error, you can click Refresh Status and then try again to send assessments.
• For other errors, the banner message includes a Retry link if your user is authorized to take action, based
on the engagement's current status.
Your options for responding depend on which type of action had an update processing error.
Attempted Action Failure Result
Submit new engagement request Landing page: Engagement editing wizard
 Note Visual cue: Banner message concerning failure.
If updates fail for a new engagement request, it is saved in The requestor can make changes in the wizard or just re-sub-
Draft status. Only the requestor can open the draft.
mit from the Review request page.

Attempted Action Failure Result
Submit new change request or review Landing page: Engagement editing wizard
 Note Visual cue: Banner message concerning failure.
If updates fail for a new change request or review, it is The creator or the "on behalf of" user can choose to:
saved in Draft status.
• Make any needed changes in the wizard, then re-submit
• For a change request, only the original creator or the
from the Review request page
"on behalf of" user can open the draft.
• For a periodic or ad hoc review, only the original • Delete the draft from the business details page (the first
creator can open the draft. page of the wizard)
Other users might be able to access the live engagement, de-

pending on their permissions and role in the project.
Submit an edit for an engagement request, change request, Landing page: Engagement editing wizard
or review
Visual cue: Banner message concerning failure.
 Note
The original editor can:
If updates fail for an edit, the engagement is saved and
its status is In Edit. Only the original editor can open and • Make any needed changes in the wizard, then re-submit
re-submit the edit. from the Review request page
• Choose Revert edit if the change is no longer needed
Other users might be able to access the live engagement, de-

pending on their permissions and role in the project.
Cancel an engagement request, change request, or review Landing page: Engagement page
Visual cue: Banner message, including a Retry link if your user

is authorized.
The request is not canceled and the Status of the engagement

remains the same as before the attempted cancelation.
If the message has a Retry link, you can use it to retry the
cancelation. Otherwise, you can't take action on this project
until an authorized user resolves the error.
Send assessments Landing page: Engagement page
Visual cue: Banner message, including a Refresh Status link.
If your user is authorized to send assessments for this engage-

ment, you can click Refresh Status, then try sending assess-
ments again.
Related Information


Canceling an Engagement Request for a Control-
Based Engagement Risk Assessment (Simple
Workflow)
Use these steps to cancel an engagement request in a site where the advanced editing and canceling workflow is
not enabled. As a project owner or governance expert in such a site, you can cancel an engagement request before
assessments have been sent.
Prerequisites
To cancel an engagement request, you must be the project owner, a member of the Project Owner project group,
or a member of the Supplier Risk Engagement Governance Analyst group.
Context
This simple canceling procedure applies to sites not configured for advanced editing and canceling. In this case,
you can cancel an engagement request when it is in Submitted or Pending Assessment status. Once the
responsible user has sent at least one assessment for the required controls and the control-based engagement
risk assessment project has moved to In Assessment status, you can no longer cancel the engagement request.
Procedure
2. In the upper right corner of the engagement page, choose Action Cancel Request .
3. Click OK to confirm that you want to cancel the request.
Results
The control-based engagement risk assessment project is now in Request Cancelled status. You can view it on the
Completed tile of the Engagement Requests area.
Control statuses are unchanged. In the case of vendor- or service-level controls, any existing control review
decisions are also unchanged.

Related Information

162]
Canceling an Engagement Request for a Control-

Based Engagement Risk Assessment (Advanced
Workflow)
Use these steps to cancel an engagement request in a site configured for advanced editing and canceling. As a
project owner or governance expert in such a site, you can cancel an engagement request at any point before final
approval.
Prerequisites
To cancel an engagement request:
• You must be the project owner, a member of the Project Owner project group, or a member of the Supplier
Risk Engagement Governance Analyst group.
• The request must not be in In edit status with a different user.
Context
This advanced canceling procedure applies to sites configured for advanced editing and canceling. In this case, you
can cancel an engagement request at any point before final approval, including requests that were denied.
Procedure

2. In the upper right corner of the engagement page, choose Action Cancel Request . A confirmation
message reminds you that tasks will be closed.
3. Click OK to confirm that you want to cancel the request. A second confirmation message requires entry of
Reason text to continue.
Results
The control-based engagement risk assessment project is now in Request Canceled status. You can view it on the
Completed tile of the Engagement Requests area.
Pending Tasks are deactivated and displayed in the Withdrawn tasks tab on the engagement page.
Control statuses and any existing control review decisions are unchanged.
Any assessment evidences already received from the supplier are retained.
For assessments pending with the supplier:
• If the canceled engagement request was the only one for which the assessment was needed, it is deactivated
and the supplier can no longer submit a response.
• If the assessment is still required for an engagement request other than the one being canceled, the supplier
can still submit evidence for that assessment.
Appropriate notifications are sent to stakeholders, reflecting the withdrawn tasks and canceled engagement
request project.
Related Information

[page 163]

Sending Assessment Questionnaires for a Control-
Based Engagement Risk Assessment Project (Simple
Workflow)
Follow these steps to use assessment questionnaires to gather evidence of control effectiveness from suppliers and
internal stakeholders. If you are responsible for sending those assessments to recipients and your site uses the
simple workflow, you send all assessments at one time after the engagement request is approved.
Prerequisites
To send assessment questionnaires for a control-based engagement risk assessment, you must be the owner of
the To Do task for triggering the evidence and control process in the project.
Context
The required assessment questionnaires for a control-based engagement risk assessment project are determined
by its applicable controls, which are in turn determined by the requester's answers to questions in the engagement
request. In the simple workflow for sending assessments, you cannot choose which assessments to send, but you
must complete the To Do task to send them. Completing the task automatically sends the assessments.
Even if recipients have completed all required assessments, you must still complete the send assessments To Do
task so that the control-based engagement risk assessment process can move to the next phase. In this case,
completing the task does not send any assessments.
An assessment might be set up to import responses. When you "send" such an assessment, you are requesting to
import the supplier's response.
Assessments are modular supplier management questionnaires, and each might have its own approval flow. After
a recipient has submitted answers to a modular supplier management questionnaire (either as a standalone
questionnaire or as part of another control-based supplier engagement risk assessment), and those answers have
been approved, the assessment questionnaire is approved until it expires (if ever). The To Do task for sending
assessments only invites recipients to fill out or update an assessment questionnaire if it is new, if it has expired, or
if it is expiring (a notification of pending expiration has been sent). If the questionnaire is already approved, it is not
included in this round of invitations.
In the simple workflow for sending assessments, you cannot choose recipients for individual questionnaires. The To
Do task for sending assessments automatically sends the questionnaires to:
• (External questionnaires) the primary supplier contact or all of the supplier's contacts (for new questionnaires)
or the supplier contact who previously submitted the questionnaire (for questionnaire updates).
• (Internal questionnaires) the members of the questionnaire project Internal Recipient group or, if that
project group is empty or is not present in the project, all members of the Project Owner project group
of the engagement risk assessment project where the internal assessment was sent. For information about
how to define membership in the Internal Recipients group, see About Modular Supplier Management
Questionnaires in Control-Based Engagement Risk Assessment Projects in Setting Up SAP Ariba Supplier Risk.

 Caution
If all of the following conditions apply to the engagement, you or someone else in your organization must edit
the engagement request to set the supplier before you complete the send assessments To Do task:
• Your site's configuration allows the requester to submit an engagement request with no supplier selected.
• The engagement does not have a supplier set when it is time to send assessments.
• The required controls include at least one unapproved external (supplier-facing) assessment questionnaire.
• Your site is configured without advanced editing and canceling.
Once the send assessments To Do task is complete, there is no way to edit the request to add a supplier
to the engagement. In the simple workflow, completing the send assessments To Do task with no supplier
selected sends internal assessment questionnaires for the engagement's required controls, but does not send
any external assessments (since no supplier is selected, there is no recipient for external questionnaires).
In this case, sending assessments is a one-time operation and there is no way to resend them. If the
engagement's controls only use internal questionnaires, the engagement risk assessment project can proceed
through control review and final approval with no supplier selected. However, if the engagement involves even
one external questionnaire that the supplier must complete and there is no supplier selected, the external
assessment questionnaires are not sent, the associated control reviews cannot start, and the control-based
engagement risk assessment project becomes stuck.
If the first three conditions above are true, but your site is configured for advanced editing and canceling, the
engagement request is editable at any point before the final approval task is completed. In this case, you can
add the supplier after sending assessments..
Procedure
• Click the link in the To Do task email notification to open the engagement request.
• From the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, click the In
2. In the Pending Tasks list, for the To Do task to send assessments, click Start.
3. A popup confirms that the assessments for the engagement's required controls have been sent. Click OK to
dismiss it.
Results
SAP Ariba Supplier Risk automatically sends recipients invitations to fill out the unapproved assessment
questionnaires for all required controls in the current engagement risk assessment project.
• If an internal assessment questionnaire has multiple recipients (for example, because the project Internal
Recipients group includes multiple people or a global user group with multiple members), all recipients
receive the invitation, and the first person to respond fills out and submits the questionnaire.
• If an external assessment is set up to import responses, SAP Ariba Supplier Risk does not send notifications
to the supplier asking them to respond, because in this case we are importing a response that the supplier

provided separately via SAP Business Network or an external system. If importing from an external system,
and the response does not import for some reason, Project Owner project group members for the relevant
engagements receive a notification about this problem.
The Risk Assessments area of the engagement page lists all of assessments sent as part of this engagement risk
assessment project. You can click View to the right of an assessment questionnaire to view it.
If the engagement has any controls that are open but are associated with questionnaires that have already
been completed, control decision makers now see a Review button for them in the Risk Controls area of the
engagement page.
Next Steps
Recipients now fill out or update and submit the assessment questionnaires you sent. Once they have done so,
depending on how those assessment questionnaires are set up, approvers might need to approve their answers
before control decision makers can review any open controls and mark their effectiveness.
The external assessment questionnaires for all of the required controls in current engagement risk assessment
project, including those that were already approved and those sent in this step, are available on the Questionnaire
tile of the supplier's 360° profile. Task owners and approvers can complete assigned tasks for external assessment
questionnaires there or by choosing Manage My Tasks .
Internal assessment questionnaires for the required controls do not show on the Questionnaires tile. Users with
the appropriate roles can view them on the Home dashboard. Approvers can approve or deny internal assessment
questionnaires by choosing Manage My Tasks .
Related Information

Status Flow for Modular Questionnaire Projects [page 299]
Sending Assessment Questionnaires for a Control-Based Engagement Risk Assessment Project (Advanced
About Modular Supplier Management Questionnaires in Control-Based Engagement Risk Assessment Projects

Sending Assessment Questionnaires for a Control-
Based Engagement Risk Assessment Project
(Advanced Workflow)
Follow these steps to use assessment questionnaires to gather evidence of risk control effectiveness for an
engagement from suppliers and internal stakeholders. If you are responsible for sending assessments to recipients
and your site uses the advanced workflow, you can send them in one or more rounds to the recipients of your
choice.
Prerequisites
To send assessment questionnaires for a control-based engagement risk assessment project, you must be the
owner of the To Do task for triggering the evidence and control process in the project.
To select which assessments to send, send assessments in more than one round, and choose assessment
recipients, the advanced send assessments workflow must be enabled in your site.
Context
The required assessment questionnaires for a control-based engagement risk assessment project are determined
by its applicable controls, which are in turn determined by the answers the requester provided to questions in the
engagement request. When you start the send assessments To Do task, the send assessments page shows a list of
all of the assessments that are required for the current control-based engagement risk assessment project.
Assessments are modular supplier management questionnaires, each of which might have its own approval flow.
After a recipient has submitted answers to a modular supplier management questionnaire (either as a standalone
questionnaire or as part of another control-based engagement risk assessment), and those answers have been
approved, the assessment questionnaire is approved until it expires (if ever). You can only send assessments that
are new, have expired, or are expiring (a notification of pending expiration has been sent). If the assessment
questionnaire was already sent to the recipient and either the recipient has not yet responded, the response is in
approval, or the response has been approved and the questionnaire is still in Approved status, you do not send it
again.
You can send all available assessments at once, or select specific assessments to send in different rounds. For
example, if your site allows requesters to submit engagement requests with no supplier selected and the required
controls for an engagement use both internal and external assessments, you can send internal assessments in one
or more initial rounds, then select a supplier and send external assessments.
The supplier selection on the engagement request remains editable until you send at least one external
assessment.
• If your site is configured for advanced edit, you can edit the engagement request to add or change the supplier,
until you have sent at least one external assessment.
• If your site does not use advanced edit, the engagement request is no longer editable after you send at least
one assessment (whether internal or external). You can still add a supplier to the engagement from the send
assessments page if needed.

The send assessments page shows all of the assessments required for the engagement for informational purposes.
When choosing which assessments to send at a given time, you can only select those assessments that are
currently available for sending. An assessment is not available for sending if:
• There is no supplier selected for the engagement yet. You cannot send external assessments for engagement-
level controls until you select a supplier for the engagement, since there is no recipient. You also cannot send
either external or internal assessments for vendor- or service-level controls until you select a supplier for the
engagement, since those controls can apply to a supplier across multiple engagements and there is no way to
tell whether the associated assessments were sent in another engagement risk assessment project until you
select the supplier. To send these assessments, select a supplier for the engagement.
• The supplier selected for the engagement does not have any contacts. You cannot send any external
assessments to a supplier with no contact. To send the assessments, add a contact to the supplier in their
360° profile or contact your administrator so that they can add a contact to the supplier using data import.
• There is a supplier selected for the engagement, but the assessment was already sent in another engagement
risk assessment project and it is not now expiring or expired.
The send assessments To Do task remains open until you have sent all of the available assessments, after which it
automatically completes.
The list of required assessments includes the name of the default recipient for each assessment. Before you send
an assessment, you can change its recipient as follows:
Questionnaire Visibility Default Recipients Other Available Recipients
External The primary supplier contact (for new Any other contact associated with the
questionnaires) or the supplier contact supplier.
who previously submitted the question-
naire (for completed questionnaires).
Internal Members of the questionnaire project Members of the questionnaire project

Internal Recipient project group Internal Recipient project group
or, if that project group is empty or or, if that project group is empty or is not
is not present in the project, members present in the project, members of the
of the Project Owner project group in Project Owner project group in the en-
the engagement risk assessment project gagement risk assessment project where
where the internal assessment was sent. the internal assessment was sent. You
The default recipient is the entire project can select one or more individual recipi-
group. For information about how to ents from these project groups.
define membership in the Internal
Recipients group, see About Modular
Supplier Management Questionnaires in
Control-Based Engagement Risk Assess-
ment Projects in Setting Up SAP Ariba
Supplier Risk.
If all required assessments for the current engagement were already sent in previous engagement risk assessment
projects, you must mark the send assessments To Do task complete so that the control-based engagement risk
assessment process can move to the next step.
Procedure

• Click the link in the To Do task email notification to open the engagement page.
2. In the Pending Tasks lists, for the To Do task to send assessments, click Start.
The send assessments page opens. It includes a list of the required assessments for the engagement,
with their visibility type, assignee (recipient), and the date that any previously sent assessments were sent.
Assessments that are not currently available for sending are grayed out.
3. If all of the required assessments have already been sent, click Mark complete to complete the send
assessments To Do task so that the next task in the engagement risk assessment project can start. Otherwise,
proceed to the next step.
4. To send assessments for this engagement, perform the following actions:
a. Check the assessments you want to send at this time. You can only check those assessments that are
currently available for sending. The assessments that you cannot send at this time are grayed out.
b. (Optional) To change the recipient for an assessment, click Change recipient, then check one or more of
the available recipients and click OK.
If an assessment has been set up to import responses, rather than send them to the supplier via SAP Ariba
Supplier Risk: when you "send" such an assessment, you are triggering the system to import the supplier's
response. You can't change the recipient in this case, so Change recipient is greyed out.
c. Click Send assessments.
5. (Optional) While you are sending assessments, if there is no supplier is selected for the engagement yet and
you want to select one now, perform one of the following actions:
• If your site is configured for advanced edit, edit the engagement request (advanced) [page 163] to add an
active supplier.
• If your site is not configured for advanced edit and you have not yet sent any assessments, edit the
engagement request (simple) [page 162] to add an active supplier. If you have already sent at least one
internal assessment, the engagement request is no longer editable.
• In the Add/Update Supplier area of the send assessments page, search for the active supplier you want to
add, then click Set Supplier.
6. Continue sending assessments using the steps above until you have sent all of the required assessments that
must be sent for the current engagement.
Results
If all of the required assessments were already sent in one or more previous engagements, marking the send
assessments To Do task complete completes the task. Otherwise, once you send all of the assessments that must
be sent for the current engagement, the send assessments To Do task completes automatically. In both cases, the
engagement risk assessment process moves to the next step.
SAP Ariba Supplier Risk automatically sends invitations to fill out the assessment questionnaires you sent to the
recipients you specified.
• If a questionnaire has multiple recipients, all recipients receive the invitation, and the first recipient to respond
fills out and submits the questionnaire.
• If an external assessment is set up to import responses, SAP Ariba Supplier Risk does not send notifications
to the supplier asking them to respond, because in this case we are importing a response that the supplier

provided separately via SAP Business Network or an external system. If importing from an external system,
and the response does not import for some reason, Project Owner project group members for the relevant
engagements receive a notification about this problem.
The Risk Assessments area of the engagement page lists all of the assessments that you have sent up to this point
for the current engagement as well as all of the required assessments for the current engagement that were sent
for other engagements. You can click View to the right of an assessment questionnaire to view it.
If the engagement has any controls that are open but are associated with questionnaires that have already
been completed, control decision makers now see a Review button for them in the Risk Controls area of the
engagement page.
Next Steps
Recipients now fill out and submit the assessment questionnaires you sent. Once they have done so, depending on
how those assessment questionnaires are set up, approvers might need to approve their answers before control
decision makers can review any open controls and mark their effectiveness.
The external assessment questionnaires for all of the required controls in the current engagement risk assessment
project, including those that were already approved and those you sent in this step, are available on the
Questionnaires tile of the supplier 360° profile. Task owners and approvers can complete assigned tasks for
external assessment questionnaires there or by choosing Manage My Tasks .
Internal assessment questionnaires for the required controls do not show on the Questionnaires tile. Users who
have access to the engagement page can view them there. Users with the appropriate roles can view them on the
Home dashboard. Approvers can approve or deny them by choosing Manage My Tasks .
Related Information
About Modular Supplier Management Questionnaires in Control-Based Engagement Risk Assessment Projects

How to Complete an Internal Assessment for a
Control-Based Engagement Risk Assessment Project
If you are the recipient of an internal assessment questionnaire for a control-based supplier engagement risk
assessment project, you must either fill it out and submit it or specify a different recipient so that the risk
assessment can proceed.
Prerequisites
To fill out a new internal assessment questionnaire for a control-based engagement risk assessment project, you
must be one of the following::
• A member of the internal modular supplier management questionnaire Internal Recipient project group.
• The engagement risk assessment project owner, if the Internal Recipient project group in the internal
modular supplier management questionnaire project does not have any members, or if the project does not
include an Internal Recipient group.
• A member of the Supplier Risk Engagement Governance Analyst global user group.
Context
In control-based engagement risk assessment projects for supplier or third-party engagement, every engagement
has at least one risk control. Risk controls are designed to mitigate or control particular types of risk, and each
includes one or more assessment questionnaires that a decision maker for the control uses to decide whether or
not the control is effective for a particular engagement. These assessment questionnaires can be external, meaning
that the supplier fills them out, or internal, meaning that people in your organization fill them out. If you have
been invited to fill out an internal assessment for a control-based engagement risk assessment project, you have
been identified as someone who can provide information that is necessary for making a decision about risk control
effectiveness for an engagement.
If you do not feel like you are the best person to fill out the assessment questionnaire, a user with appropriate
permissions can change the recipient [page 185].
Procedure
1. Open the internal assessment questionnaire by performing one of the following actions:
• Click the link in the email notification inviting you to fill out the questionnaire.
• In the To Do content item on the Home dashboard, click the name of the questionnaire to open the
engagement page. In the Risk Assessments area, click View to the right of the assessment.
• On the Home dashboard, click the context menu to the left of the search bar and choose SM Modular
Questionnaire, optionally enter a search term such as the name of the questionnaire, and click the search

icon ( ). On the search page, locate the internal assessment questionnaire, click its name, and choose
Open.
2. In the Supplier questionnaire area, click Edit.
3. Fill out the questionnaire and click Submit.
Results
If there is an approval flow for the questionnaire, submitting it generates notifications letting approvers know
they must review your answers and approve or deny them. If there is no approval flow for the questionnaire, it is
approved automatically.
Next Steps
After all of the questionnaires associated with a risk control are approved, a risk control decision maker in your
organization reviews your answers again, along with the answers to other assessment questionnaires submitted by
the supplier or other people in your organization, and decides whether or not the associated risk control is effective
for the engagement.
Related Information
Requesting an Update or Changing the Recipient for

a Modular Questionnaire
Use these steps to request an update for a modular questionnaire. This allows you to send the current recipient a
reminder or select a different recipient and invite them to update the questionnaire.
Prerequisites
To request an update or change a recipient for a modular questionnaire, you must be a member of the SM Modular
Questionnaire Manager, Supplier Risk Engagement Expert, or Supplier Risk Engagement Governance Analyst
group.
You can't request an update while the questionnaire is in Pending Submission or Pending Approval status.

Internal modular questionnaires are only available in SAP Ariba Supplier Lifecycle and Performance process
projects and in SAP Ariba Supplier Risk engagement risk assessment projects, where they're used as risk
assessments. Internal modular questionnaires can't be stand-alone projects.
Context
Modular questionnaires can allow continuous updates or permanently close after the submitted answers are first
approved or denied. However, even if a modular questionnaire doesn't normally allow updates, requesting an
update reopens the questionnaire so that the recipient can update it once.
For external modular questionnaires, once a supplier contact has opened the questionnaire and viewed it, the
questionnaire is assigned to them and they're the only user in the supplier's SAP Business Network account who
can view or respond to it. Requesting an update and changing the recipient allows you to reassign the questionnaire
to a different supplier contact.
Internal modular questionnaires used as risk assessments in engagement risk assessment projects can include
an Internal Recipients project group. When you change recipients, members of that group show at the top
of the list of available recipients. Internal modular questionnaires in process projects don't use an Internal
Recipients project group, and available internal recipients show in alphabetical order.
In sites where the process project feature (SM-16798) is enabled, a process initiator who is also a member of the
SM Modular Questionnaire Manager group can also request a questionnaire update or change recipients when
creating or renewing a process.
In SAP Ariba Supplier Risk, a modular questionnaire used as a risk assessment can be set up to import supplier
responses. In this case, requesting an update triggers import of the supplier's current response, either from
SAP Business Network or your external system. You can't use Request Update to change the recipient of an
assessment for which responses are imported.
Procedure
1. Open the modular questionnaire by performing one of the following actions:
• In the Questionnaires area of the 360° profile, view the questionnaire.

• On the Home dashboard, choose SM Modular Questionnaire in the search context menu, optionally enter
a search term such as the name of the questionnaire, then choose the search icon ( ). On the search
page, choose the name of the questionnaire and choose Open.
• If the modular questionnaire is included in a process, on the process details page, view the questionnaire.
2. Choose Request Update.
• For an internal questionnaire, choose the current recipient or search for and select a different recipient.
• For an external questionnaire, leave the current recipient selected, search for and select a different supplier
contact or (if you have permission to add supplier contacts) add a new contact and choose them as the
recipient.
4. Optional: Enter a comment about the update request or questionnaire reassignment.

• For an internal questionnaire, choose Confirm.

• For an external questionnaire, choose Save.
Results
The current or updated recipient receives an email notification inviting them to submit the questionnaire.
If the questionnaire is set up to generate reminders, requesting an update restarts the reminder schedule.
Related Information
Adding a Supplier Contact as a Questionnaire Recipient

Qualification and Miscellaneous Supplier Management Process Projects
Creating a Qualification or Miscellaneous Supplier Management Process Project
Inviting Suppliers to Fill Out Stand-Alone Modular Questionnaires [page 284]
How to Approve or Deny an Internal Assessment

Questionnaire for a Control-Based Engagement Risk
Assessment Project
If you are in the approval flow for an internal assessment questionnaire in a control-based supplier engagement risk
assessment project, you can approve or deny it.
Procedure
1. On the dashboard, choose Manage My Tasks .

2. On the My Tasks page, locate the approval task for the internal assessment questionnaire.
 Tip
The name of the internal questionnaire project associated with the task does not tell you which supplier is
involved in the control-based engagement risk assessment, but you can see the supplier name when you
view task details.
3. Click the name of the task and choose Action View Task Details .
4. Review the answers.

• To approve the registration, click Approve.
• To deny the registration, click Deny, enter an explanatory comment for the supplier, and click Confirm
denial.
 Caution
Do not click Request additional info. If you request additional information, the approval cannot restart
until the recipient resubmits the questionnaire. However, there is currently no way for the recipient to
update the questionnaire after the initial submission. Requesting additional information therefore causes
the questionnaire to become stuck in Pending Approval status, the associated control review cannot start,
and the control-based engagement risk assessment becomes stuck. Always either approve or deny the
questionnaire.
Results
If you are the final approver, the questionnaire status is now Approved or Denied. If not, the questionnaire remains
in Pending Approval status until the final approval or denial.
How to Assign or Reassign a Control Review or

Questionnaire To Do Task for an Engagement
When a project group owns a control review task or a To Do task on an engagement project questionnaire, an
individual member of that group can assign the task to the members of the group who are best qualified to act on
the task for a particular engagement.
Prerequisites
The enhancements to engagement task management feature (ARI-6919) must be enabled in your site.
You can only assign control review tasks, and To Do tasks on supplemental engagement questionnaires, in control-
based engagement risk assessment projects. You cannot assign standalone To Do tasks, including the To Do task
for sending assessments.
To assign or reassign a control review task or a To Do task on a supplemental engagement questionnaire, you must
be a decision maker for the control (for control review tasks) or a task owner (for To Do tasks) or a member of the
Supplier Risk Engagement Governance Analyst group.
You can only assign a control review task if the control decision maker is a project group.
To be eligible to be assigned a control review task, you must be a member of the project group defined as its
decision maker. To be eligible to be assigned a supplemental engagement questionnaire as part of a To Do task, you
must be a member of the project group that owns the task.

Context
If you are a control decision maker for a control review task or the owner of a supplemental engagement
questionnaire To Do task in an engagement project, or a member of the Supplier Risk Engagement Governance
Analyst group, you can assign or reassign the task. Task assignments allow task owners to ensure that the
individual who is in the best position to act on the task sees it in their Action queue (if that feature is enabled) and
is assigned the task on the engagement page.
You have the following options for assigning or reassigning these tasks:
You Can... If...
Assign the task to yourself You are the best person to act on the task.
Assign or reassign the task to another person A task is not currently assigned to an individual person or is as-
signed to you. You can assign or reassign it to another member
of the project group that owns the task to give them exclusive
access to it. This option is useful when:
• You know the best person to act on a task that is currently

a group task.
• You have been assigned a task but believe a specific other
person is in a better position to act on it.
• You are collaborating on a supplemental engagement
questionnaire, have saved your own edits to it, and want a
specific person to work on it next.
Reassign the task to the project group A task is assigned to you. You can reassign it back to the entire
project group that owns the task so that any member of the
group can act on it. This option is useful when:
• You have been assigned a task and don't know exactly who
is in a better position to act on it.
• You are collaborating on a supplemental engagement
questionnaire, have saved your own edits to it, and want to
let anyone in the group work on it next.
You can assign or reassign tasks from several pages, depending on the task type and your role.
Task Type User Access Points
To Do Task owner Engagement page
Engagement task list
Action queue *
Governance analyst who is not a task Engagement page

owner
Control review Decision maker Engagement page
Engagement task list
Governance analyst who is not a decision Engagement page

maker for this control

Task Type User Access Points
* If this feature is enabled as described in Optional Features for Control-based Engagement Risk Assessments in Setting Up SAP
Ariba Supplier Risk.
 Note
Control reviews are sometimes shared between engagements, and the decision maker group (and thus the list
of possible assignees) might differ between engagements. Therefore, while you can access a control directly
from the Action queue or the control list page, if those features are enabled, assigning or re-assigning can only
be done when accessing the control review task directly from the engagement. This makes clear which users
are candidates to be assigned.
Procedure
• To assign or reassign a task from the engagement page:

a. Click the Engagement Requests link on the Supplier Risk dashboard and locate the engagement.
b. Click the engagement name to open the engagement page.
c. In the Tasks area, click Start to open the task details page for the To Do or control review task you want to
assign.
For control review tasks, you can also click View or Review in the Risk controls area.
d. To assign the task to yourself, click Assign to me, enter an optional comment to explain the assignment,
and click OK.
e. To assign the task to another person or back to the project group, click Assign, choose the user or group,
enter an optional comment to explain the assignment, and click OK.
• To assign or reassign tasks from the engagement task list:
a. Click the Engagement Requests link on the Supplier Risk dashboard and locate the engagement.
b. Under My tasks/Group tasks, click the number of tasks assigned to you or to the project group to open
the engagement task list.
c. Locate the task you want to assign.
d. To assign a task to yourself:
1. Select the checkbox to the left of the task.
2. Choose Assign to me.
3. Enter an optional comment to explain the assignment, and click OK.
e. To assign the task to another person or back to the project group:
1. Select the checkbox to the left of the task.
2. Choose Assign.
3. Choose the user or group.
4. Enter an optional comment to explain the assignment, and click OK.
• To assign or reassign a To Do task from the Action Queue:
a. Click the Actions tile on the Supplier Risk dashboard and locate the action for this To Do task.
b. Click the To Do task name link.
c. To assign the task to yourself, choose Assign to me, enter an optional comment to explain the assignment,
and click OK.

d. To assign the task to another person or back to the project group, choose Assign, choose the user or
group, enter an optional comment to explain the assignment, and click OK.
Results
To Do task: If you assigned the task to yourself, you are now the only person who can act on it. If you assigned or
reassigned an individual person to a To Do task, they are now the only person who can act on it and they receive an
email notification letting them know about the assignment. If you reassigned the task back to the project group, all
members of the project group can now act on the task and they all receive an email notification telling them about
the reassignment.
Control review task: If you assigned the task to yourself, the task is assigned to you in the task list on the
engagement page. If you assigned or reassigned the task to another individual person, they now see the task as
assigned to them on the task list for the engagement, and they receive an email notification letting them know
about the assignment. If you reassigned the task back to the project group, they all receive an email notification
telling them about the reassignment.
• If your site has control review workflow enabled: Control review assignment to an individual is not exclusive.
Any member of the decision maker group for the control can act on it, whether assigned to an individual or to
the group.
• If your site does not have control review workflow enabled: Control review assignment to an individual is
exclusive. Only the assigned individual can act on the control review.
The change of assignment is reflected in the Action queue.
Related Information
Optional Features for Control-based Engagement Risk Assessments
How to Fill Out and Submit a Supplemental

Engagement Questionnaire
Supplemental engagement questionnaires are questionnaires that gather information about some aspect of the
engagement that is not covered by the engagement request and risk assessment questionnaires. If you are
assigned to a To Do task for a supplemental questionnaire, you fill it out to complete the task.
Prerequisites
To fill out and submit a supplemental engagement questionnaire, you must be an owner of its To Do task.

Context
Your control-based engagement risk assessment process might use supplemental engagement questionnaires
in the engagement request phase, the phase where evidence collection starts, or the final approval phase. Your
organization might use these questionnaires for compliance, reporting, monitoring, confirmations that you have
performed tasks outside of SAP Ariba Supplier Risk, or for other purposes.
Depending on how the To Do task for filling out the questionnaire is set up, you might be the sole person assigned
to fill out the questionnaire, or you might be a member of a group that has been assigned to the task. In either
case, you can fill out the questionnaire and save or submit it. If you save the questionnaire, the To Do task remains
open and you or another task owner can complete it and submit it at another time. Submitting the questionnaire
completes the To Do task and starts any approvals for the questionnaire.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, then click the
In Progress tile.
3. In the Pending Tasks list, locate the To Do task for the supplemental questionnaire and click Start.
4. Fill out the questionnaire.
• To submit the questionnaire and complete the To Do task, click Submit.

• To save the current answers without submitting the questionnaire, click Save.
• To return to the engagement page without saving your current edits, click Cancel.
Results
If you saved the questionnaire, the To Do task remains active. You or another task owner can click Start for the
questionnaire To Do task to continue filling out the questionnaire at any time. The task remains open to all task
owners, and the questionnaire remains editable, until a task owner submits it.
If you submitted the questionnaire, the To Do task is complete and the questionnaire is no longer editable. If there is
an approval task for the questionnaire, it starts now.
Next Steps
If an approver requests more information, you can edit the questionnaire again by clicking Start for its To Do task.

Related Information
How to Approve or Deny a Supplemental Engagement Questionnaire [page 193]
How to Approve or Deny a Supplemental

Engagement Questionnaire
If you are in the approval flow of a supplemental engagement questionnaire, you can approve or deny it.
Context
Approving or denying a supplemental engagement questionnaire does not directly affect the status of the control-
based engagement risk assessment project, but it does reflect whether or not you find the answers acceptable. The
approval status of a supplemental questionnaire can factor into the approval or denial of an engagement request
or the overall engagement risk assessment project. With approvals for supplemental questionnaires, you can also
request more information from the respondents instead of approving or denying the questionnaire.
Procedure
In Progress tile.
3. In the Pending Tasks list, locate the approval task for the supplemental questionnaire and click Approve/
Deny.
4. On the approval task details page, review the questionnaire answers and perform one of the following actions:
• To approve the questionnaire, click Approve, enter an optional comment about your approval, and click
Confirm.
• To deny the questionnaire, click Deny, enter a comment about your denial, and click Confirm.
• To ask the respondent to provide more or different information, click Request more info, enter a comment
specifying your request, and click Confirm.
Results
If you denied the questionnaire, the approval flow stops. If you approved the questionnaire and you are not the
final approver, the approval flow continues. If you approved the questionnaire and you are the final approver, the
approval task completes. Any comments you added during approval show in the Approval history area of the
approval task details page.

If you requested more information, the owners of the To Do task for the supplemental questionnaire receive email
notifications that include your comment. They can start the To Do task again to edit the questionnaire. After they
submit the updated answers, the approval task starts again.
Next Steps
Approvers and members of the Supplier Risk Engagement Governance Analyst group can change the approval
decision by resubmitting the approval under the following circumstances:
• For supplemental engagement questionnaires in the engagement request, trigger evidence collection and
controls, or final project approval phase, if the questionnaire is denied and the engagement risk assessment
project is not completed or canceled.
• For supplemental engagement questionnaires in the post-project approval phase, if your site uses one, if the
questionnaire is either approved or denied and the post-project approval phase is still in progress.
To resubmit a completed approval, on the Completed Tasks tab of the engagement page, click View to view the
approval task details, then click Resubmit. Resubmitting the approval task starts the approval flow over again from
the beginning. Once it is restarted, approvers can make a different approval decision or request more information
so that questionnaire To Do task owners can edit the questionnaire again.
Related Information
How to Fill Out and Submit a Supplemental Engagement Questionnaire [page 191]
How to Raise an Issue for a Control-Based

Engagement Risk Assessment or One of Its Risk
Controls
If a potential supplier or third-party engagement or one of its required risk controls has a problem that might
require remediation, a policy exception, or other special handling, you can create an issue for it.
Prerequisites
Any user who can view an engagement or a risk control can create an issue for it.
You can assign new issues to any member of the Supplier Risk User, Supplier Risk Manager, Supplier Risk
Engagement Requestor, Supplier Risk Engagement Analyst, or Supplier Risk Engagement Governance Analyst
groups.
The issue only includes a Residual Risk field if residual risk is set up in your site.

Context
You can create an issue for a control-based engagement risk assessment project at any point from the time the
request is initially approved, except when it is in status Complete, Archive pending, or Archived.
You can create an issue for an individual risk control if it is required in at least one engagement request for the
supplier and if the control review task's status is active.
• If the control has not previously been reviewed for the supplier, the review task becomes active once
assessments are sent. It's at this point that the row for this control in the Risk controls section of the
engagement page shows a View or Review button.
• The control remains active from that point forward. You can raise an issue regardless of the control's status.
• The control would cease to be active if all engagements for this supplier that required this control were
Canceled or Archived.
Issue forms include a standard set of questions about the issue name, description, assignee, severity, and due date.
They might also include a question about the issue probability. However, the specific wording of these questions
and the other questions in the issue form are defined by your organization's issue management process.
Procedure
1. To start an issue for an engagement: open the engagement and in the upper right corner of the page, choose
Action Create issue .
2. To start an issue for an individual risk control:
a. Open the control page.
• Open an engagement for which this control is required. In the Risk controls area, click View or Review
for the control.
• If your site has control review workflow enabled, you can open the control from the controls list page.
b. On the control page, click Create issue.
 Note
For service-type controls: If your site has control review workflow enabled, the control details page
shows a list of services for the control. Locate the relevant service and in that row, click Action
Create issue .
3. Enter information on the Create issue page as defined by the issue management project template.
4. Click Submit.
Results
Submitting the issue creates an issue management project in Draft status and starts its workflow. If your site has
set up residual risk ratings, the Residual Risk field [page 136] on the issue page shows the residual risk of the issue
based on the severity and probability you selected. Depending on your site's residual risk configuration, this issue
might also influence the Residual Risk shown on the engagement page.

Automatic email notifications inform you, the assignee, and members of the Supplier Risk Engagement
Governance Analyst group of the new issue and of any subsequent updates.
You can view the issue, its process flow, and its tasks by clicking the Issues tile on the Supplier Risk dashboard or
by finding it in the Issues section on the engagement page. These actions show both engagement-level issues and
issues raised for specific controls.
Related Information
How to Add Approvers or Reviewers to a Legacy Engagement Risk Issue [page 325]
117]
How to Define, Analyze, or Resolve an Issue for a

Control-Based Engagement Risk Assessment
The issue management process can assign you tasks for defining, analyzing, or resolving an issue that someone at
your organization has raised for a risk control or a control-based engagement risk assessment project. Once all of
the tasks in the issue management workflow are completed, the issue closes.
Prerequisites
If you are a task owner, reviewer, or approver for an issue task, but you don't otherwise have permission to work
with control-based engagement risk assessments, you can view and add comments to the issue, but you cannot
view the associated control-based engagement risk assessment project. Anyone who has permission to view the
issue can also view details for any of its completed tasks. To edit the issue, you must be either a member of its
Project Owner project group, an assignee, or a member of the Supplier Risk Engagement Governance Analyst
group.
If your organization's issue form uses access control to restrict who can edit specific sections of the issue form, you
must not only have permission to edit the issue but also have access to the section or sections you want to edit.
To complete an issue-related task, you must be a task owner (for To Do tasks) or be one of the users assigned to its
review or approval flow (for review and approval tasks).
The issue only includes a Residual Risk field if residual risk is set up in your site.

Context
Your organization's issue management process [page 117] includes steps for raising the issue, defining and
analyzing it, proposing a resolution, and approving the resolution. Its tasks assign these steps to various relevant
stakeholders, who receive email notifications when their assigned tasks start. If you are assigned to a task for an
issue, and that task is currently active, you can click a button next to it in the Tasks table to complete it.
Your company's issue management process defines the owner of all issue management tasks before the issue is
assigned. After assignees are specified for the issue, they automatically becomes the owner of all of the issue's
incomplete tasks. The owner of a To Do task completes the task. The owner of an approval or review task is not
necessarily the approver or reviewer, unless they are also added explicitly to the approval or review flow; however,
the owner of an approval task can resubmit a denied approval task so that the approval flow restarts.
Depending on your role in the issue management process and your permissions, you might edit the issue to add
more information, correct existing information, add comments, attach a document such as a remediation plan or a
waiver, adjust the severity and probability (and therefore the residual risk), or assign the issue to another person at
your company before completing your task. Each task in the workflow must be completed before the next task can
start. The issue cannot close until all of its tasks are completed.
The issue page includes a process flow diagram that shows all of the tasks in the workflow, with color coding to
indicate tasks that have been completed. You can hover a mouse over any incomplete To Do task in the flow to see
its owner, and any incomplete approval or review task in the flow to see its currently active approver or reviewer.
If the site configuration parameter Require issue completion for final engagement project approval
(Application.SR.Engagement.RequireIssueCompletionForProjectApproval) is enabled in your site,
approvers cannot approve or deny an engagement risk assessment project until all associated issues have a status
of Resolved.
Procedure
1. Perform one of the following actions to open the issue:
• Click the link in the task email notification.

• On the dashboard, choose Manage My Tasks , click the name of your assigned task, and choose
View Task Details.
• If you are the person who created the issue, the assignee, or a member of the Supplier Risk Engagement
Governance Analyst group, on the Supplier Risk dashboard, click the Issues link, then click the issue
name.
• If the issue is associated with a risk control for which you are a decision maker: open the control details
page from the engagement page or from the controls list page. From there, you can access issues
associated with the control. This method is available only if your site has the control review workflow
feature enabled.
2. (Optional) In the Comments area, enter a comment and click Submit.
The Comments area shows your new comment at the top of the comment list.
3. If you need to edit the issue and have permission to do so, perform the following actions:
a. At the top of the issue page, click Edit.
b. Add or modify information in any of the editable fields as needed.

c. Click Submit.
4. In the Tasks area, locate your assigned task and perform one of the following actions:
• For a To Do task, click Mark Complete, then click Yes to confirm that you want to complete the task.
• For a review task, click Complete Review. On the Issue Task Detail page, enter any review comments you
might have, click Confirm Review Complete, and click Done to return to the issue page.
• For an approval task, click Approve/Deny On the Issue Task Detail page, click Approve or Deny, enter
explanatory comments, click Confirm, and click Done to return to the issue page.
Results
The issue management process flow at the top of the issue page updates to show the completed task, and the
next task in the issue management workflow starts automatically. Users with permission to view the issue can click
View next to any completed task to view its details, which include any comments that reviewers or approvers added
when completing review or approval tasks.
If your task is the last for its phase of the issue management workflow, the next phase automatically starts, and the
status of the issue moves forward.
Activity Phase Change Issue Status
Create a new issue Start Issue definition phase Draft
Complete the final task in the Issue defi- Ends: Issue definition phase Open
nition phase
Starts: Issue analysis phase
Complete the final task in the Issue anal- Ends: Issue analysis phase In Progress
ysis phase
Starts: Issue resolution phase
Complete the final task in the Issue reso- Ends: Issue resolution phase Resolved
lution phase
Starts: Issue resolution acceptance
phase
Issue resolution approved Ends: Issue resolution acceptance Completed
phase
Issue resolution denied Ends: Issue resolution acceptance Request denied
phase
If your site has set up residual risk ratings and you specified or edited the issue severity or probability, the Residual
Risk field [page 136] on the issue page shows the residual risk of the issue based on the severity and probability
you selected or updated. Depending on your site's residual risk configuration, this issue might also influence the
Residual Risk shown on the engagement page.

Next Steps
If an approval task is denied and you are its owner, you can restart it by choosing Actions Resubmit in
the Tasks area, clicking Resubmit on the Issue Task Detail page, entering any optional comments and clicking
Confirm Resubmit, and clicking Done. The approval flow then restarts, and approvers can reevaluate the issue and
either approve it this time or deny it again.
Related Information
117]
How to Add Approvers or Reviewers for an Issue in a Control-Based Engagement Risk Assessment Project [page
201]
How to Manage Team Membership of the Assignee Project Group in an Issue Management Project [page 199]
Require issue completion for final engagement project approval [page 395]
Require issues for ineffective risk control decisions [page 396]
How to Manage Team Membership of the Assignee

Project Group in an Issue Management Project
A user with access to an issue management project can change the membership of the Project Owner project
group. Members of the assignee project group on the project team of an issue management project can complete
tasks assigned to the group and add information to the issue unless restricted by access control.
Prerequisites
The issue management project template in your site must include an Assignees project group.
If the site configuration parameter Enable assignee team management on issue projects
(Application.SR.IssueManagement.ManageIssueAssigneeTeam) is disabled, the button for managing the
assignee team isn’t available in the upper right corner of the issue page.
To add or remove team members in the issue assignee project group, you must already be a member of the
assignee or Project Owner project group in the issue management project.
You can add or remove any global user group or any member of the following groups from the issue assignee
project group:

Context
Issue assignees are typically responsible for analyzing and resolving the issues associated with control-based
engagement risk assessment projects or with their risk controls. They automatically have permission to view the
issue and to edit any parts of the issue form that aren't restricted by access control. They can also add or remove
other team members and system groups from the issue assignee group.
You can add or remove team members and global user groups from the assignee project group on the issue form.
 Note
Members can't remove themselves (the currently logged in user), or the explicit issue assignee.
Adding or removing global user groups, adds or removes the group. Example: USER_A is a team member of
the assignee project group individually and is also a member of GROUP_B global user group. If GROUP_B
is removed from the assignee project group, the individual team member, USER_A, isn't removed. Only the
GROUP_B global user group is removed.
Procedure
1. On the Supplier Risk dashboard, click the Issues link, then click the issue name.
2. In the upper right corner of the issue page, click Manage team.
 Note
You won’t see the Manage team button if the issue management project template doesn’t have an
Assignees project group.
3. On the Manage team popup, click the pencil icon ( ) next to Assignee team, search for the people or global
user groups that you want to add to the assignee project group for the issue, and select them. Uncheck those
that you want to remove.
Results
The team members and global user groups you added or removed in the issue assignee group receive email
notifications letting them know that they were added to or removed from the group. If they were added, they can
now view the issue, perform any tasks assigned to the group, edit any section of the issue form to which the group
is granted access, and add other team members to the issue assignee group.

How to Add Approvers or Reviewers for an Issue in a
Depending on their setup, approval or review tasks for issues might allow the issue project owner to add an ad
hoc reviewer or approver based on their judgment of the issue's requirements instead of using a template-defined
approval or review flow.
Prerequisites
To add approvers to an approval task or reviewers to a review task in an issue, you must be a member of the issue's
Project Owner group as defined in your site's issue management project template.
You can only add approvers or reviewers to an issue management task if there are no approvers or reviewers
defined for it in the project template.
Context
You can add either individual users or system user groups such as Supplier Risk Engagement Analyst as
approvers or reviewers. If you choose a user group, the first member of the group to respond reviews, approves, or
denies the issue. If you select multiple users or groups, they are all added as parallel nodes in the approval or review
flow and they must all approve or review the issue.
Procedure
• Supplier Risk dashboard, navigate to the Engagement Requests In Progress tile, click the name of
the engagement with which the issue is associated to open the engagement page, then click the flag icon
( ) next to the engagement’s name and choose the issue name from the dropdown menu.
Governance Analyst group, on the Supplier Risk dashboard, click the Issues link, then click the issue
name.
2. In the Pending Tasks list, locate the approval or review task and click Add Approver or Add Reviewer.
4. Click Update.

Results
The users or user groups are added to the approval or review flow. The users and individual members of the groups
receive notifications letting them know that they must complete the task.
Related Information

117]
How to Change the Residual Risk of a Control-Based

Engagement Risk Assessment Project
In a site configured to use the default (rather than the domain-based) method of determining engagement-level
residual risk, you can change that residual risk rating if necessary. This capability is subject to rules set up by an
administrator.
Prerequisites
Your site must be set up to use the default method of calculating engagement residual risk. In sites configured
instead to calculate engagement-level residual risk by risk domain, there is no ability to change the engagement-
level residual risk manually. Residual risk values in these sites are automatically updated based on the issues,
findings, or effectiveness levels for controls associated with the engagement.
Residual risk in control-based engagement risk assessment projects must be set up in your site, and your site must
be configured to allow changes to the original residual risk rating.
To view the residual risk of an engagement, you must have permission to view that engagement.
To change the residual risk rating of an engagement project, you must be a member of its Project Owner project
group or of the Supplier Risk Engagement Governance Analyst global user group.
By default, you can edit the residual risk if the engagement has at least two associated issues or findings with
different residual risk ratings. Sites can also be configured to remove this restriction.

Context
The residual risk for an engagement shows in the Residual Risk field in the Engagement Summary area of the
engagement page. This field only shows a value if the engagement has at least one associated issue with a risk
rating or a finding with a business impact value. An engagement can have an issue or finding because someone
has raised an issue or finding directly for the engagement or one of its controls, or because someone has raised an
issue or finding for one of its service- or vendor-level controls in another engagement. If the engagement does not
have any issues or findings, the Residual Risk field is blank.
If a residual risk value has been calculated for an engagement, and your site allows it, you can change the
engagement project's residual risk rating. The number of levels you can change the rating either up or down is
determined by your site's configuration. If the engagement does not yet have a residual risk rating, there is no way
to edit the Residual Risk field to set it manually.
Procedure
In Progress tile
2. Locate the engagement and click its name to open it.
3. Perform the following actions:
a. Choose Action Change residual risk .

b. Choose a different residual risk rating. The options that are active depend on the number of levels of
change your organization allows for residual risk ratings.
c. Enter a comment explaining the reason for your change.
d. Click OK.
Results
On the engagement page, the Residual Risk field shows the rating you chose as the current residual risk rating for
the engagement project.
The residual risk change history records your change. You can click History to see the entire change history for the
residual risk rating of the current engagement project, including any related comments.
Related Information
Define the amount of change allowed for engagement residual risk ratings [page 359]
Restrict editing of residual risk ratings based on engagement issues [page 399]
About Engagement-Level Residual Risk

How to Approve or Deny a Control-Based
If you are in the approval flow for a control-based engagement risk assessment project, you can approve or deny it.
Prerequisites
If the site configuration parameter Require issue completion for final engagement project approval
(Application.SR.Engagement.RequireIssueCompletionForProjectApproval) is enabled in your site,
you cannot approve or deny an engagement risk assessment project until all associated issues have a status
of Resolved.
Context
Once control decision makers have reviewed all of the open controls associated with an engagement, it is in In
Progress status for the project approval phase.
The Approval Flow area of the engagement page includes decision nodes for all of its control reviews. If a control
is marked ineffective, the control decision maker might have raised an issue for it. You can review all of the issues
raised for the engagement and their resolutions in the Risk Issues area.
Depending on your organization's standards and processes, you might approve an engagement risk assessment
project with one or more ineffective controls if it merits an exception or has a related issue that is resolved to your
satisfaction.
Procedure
• Click the link in the email notification to open the engagement.

Progress tile, then locate the engagement, and click its name.
2. Review the engagement, including its controls and any associated issues. In the Pending Tasks area, you can
click View for any task to view its details, including the assessment questionnaires associated with control
reviews.
• To approve the engagement, click Approve.

• To deny the engagement, click Deny.
5. Enter a comment to the requester explaining your reasons, and click Confirm approval or Confirm denial.

6. Click Done.
Results
If all of the approvers approve the engagement and there are no more tasks in the project approval phase, the
engagement moves to Completed status. If an approver denies the engagement, it moves to Request Denied
status.
Next Steps
If the engagement is denied but the engagement is not yet in Completed status because the project approval
phase includes tasks that have not yet been completed, and you are either an approver or a member of the
Supplier Risk Engagement Governance Analyst group, you can resubmit the approval. Resubmitting the approval
restarts the approval flow from the beginning so that approvers can make a different decision. To resubmit the
approval, on the engagement page, click View to open the approval task details page, then click Resubmit.
Related Information

Topics About Managing Risk Controls
Viewing and Managing Risk Controls Using the Control Details Page [page 208]
How to Change the Expiration Date of a Control Review Decision [page 214]
How to Review and Set the Effectiveness Level for a Risk Control or Service (Five Levels) [page 219]
Reopening a Control Review [page 226]

How to Re-Review a Completed Control and Change Its Effectiveness Status Using the Control Review Page
[page 232]
Using the Controls List Page
The Controls list page is a central place for viewing and interacting with risk controls. Tabs list all controls for which
the current user is a decision maker and the subsets of controls requiring action from the current user or a decision
maker group to which they belong.
The Controls tile and list page apply to sites in which the Action queue and periodic review of risk controls are
enabled. In sites where those features are not enabled, decision makers access controls via the engagements in
which they are required. For more information on the required setup, see Setting Up Control Review Workflow in
Setting Up SAP Ariba Supplier Risk or Setting Up Control Review Workflow.
The Controls tile on the Supplier Risk dashboard shows the number of controls for which you belong to the
decision maker group. Clicking on the Controls tile takes you to the Controls list page.
Here you can see the expiration date, status, and other information about each control.
Three tabs show different views of the controls.
• All: shows all controls for which you belong to the decision maker group
• My actions: shows all control actions assigned specifically to you
• Group actions: shows all controls needing action, for which a user group to which you belong has
decisionmaking responsibility
Use the  Refresh link to update the list. For example, a control's status may have changed while you have been
reviewing the page.
You can show or hide columns on this page using the table-column icon at upper right, next to the  Refresh link.
The page has searchable columns for the following:
Column Description
Risk control The name of the risk control.
Click the name link to display the control detail page [page
208] for this control.
Expiration date Expiration date for the control review decision. If it does not
have an expiration date, the phrase No date set appears here.
Status Status of the control review decision.
• Expired: already expired.

• Expiring soon: approaching its expiration date.
• Pending: needs a review decision. For example, the sup-
plier has submitted a new assessment response.
• Waiting for response: waiting for a recipient to submit a
response to an underlying assessment.
• Completed: has an unexpired decision.

Column Description
Review decision For Vendor- or Engagement- type controls, this shows the de-
cision or, if there is no decision, the status:
• Review decision: possible values depend on whether the

site is configured for two or five levels of control effective-
ness.
• Waiting for response or Pending, if the control does not
have a decision.
• Skipped: has no effectiveness level because a decision
maker skipped the control review, in a site configured to
allow this.
For Service-level controls, where decisions are made for each

service, this shows the status of the control: Waiting for
response, Pending, Skipped, or Completed.
Supplier name Name of the supplier for this risk control.
Engagement One of:
• ID of the engagement for which this control is required;

links to the engagement.
• Multiple [n], indicating the number of engagements for
this supplier with which this control is associated. Hover
over or click this link to see a list of engagement links.
Control type Vendor, Service, or Engagement
Control ID ID for this risk control.
Assessments One of:
• ID of the assessment for this control; links to the assess-

ment detail page..
• Multiple [n], indicating the number of assessments for
this control. Hover over or click this link to see a list of
assessment links.
• If status data for an assessment was imported, the listing
is in the format [Assessment name] - Imported. There
is no link because the assessment response is not stored
within Supplier Risk.
Risk type From the risk control definition. In sites set up to calculate
residual risk by risk domain, the Risk type associated with a
control is its risk domain.
Regulator mandate Yes or No: whether this risk control addresses a regulatory
requirement.
Related Information

Enable control review workflow [page 369]
Allow no-effectiveness option for control review [page 348]
Viewing and Managing Risk Controls Using the Control

Details Page
The control details page collects in one location both summary and usage information for a control. From this page
you can take needed action on the control, such as providing a review decision, extending its expiration date, or
resending assessments to the supplier.
Prerequisites
The parameter Enable control review workflow

(Application.SR.Engagement.EnableControlReviewWorkflow) must be set to Yes in your site. If your site
does not use this feature, see How to Review a Pending Control for Effectiveness Using the Control Review Page
[page 228] or How to Re-Review a Completed Control and Change Its Effectiveness Status Using the Control
Review Page [page 232].
Opening the details page for a risk control
As a member of its decision maker group, you can access the detail page for a control in several ways:
• From the Controls list page [page 206], click on the name of the control.
• From the Action Queue, click on the name of a control that requires action.
• From the engagement page:
• In the Tasks area: click Start to work on a control review task.
• In the Controls area: click View or Review to work with the control for that row.
• From the engagement task list:
1. On the engagement list page, click on the My tasks or Group tasks link.
2. Find the relevant control review task and use the Action icon at right to choose View this task or Start this
task.
The top of the page shows summary information about the control. The lower portion shows additional information
depending on the type of control.
Activities
The actions you can take from this page depend on the control type and its state: whether the control review
decision is expired or about to expire, for example, and whether it already has or needs a decision.

Activity Availability Description
Reopen the control review Use when the control review is expired Choose Action Reopen control
or soon to expire, to make it available for
review or click the reopen link in the
re-review. Can also be done as needed
reminder message above the control's
outside of the periodic review cycle, for
header information. As part of this ac-
any Completed control review.
tion, you can optionally resend all assess-
ments.
Refer to Reopening a Control Review

[page 226].
Change the expiration date for the con- When the control review is not Waiting
Choose Action Change expiration
trol review for response or Pending
date . If the control review is expired
or soon to expire: you can also click the
set a new expiration date link in the
reminder message above the control's
header information.
Refer to How to Change the Expiration

Date of a Control Review Decision [page
214].
Mark the control Effective or Ineffective When the control review is available for From the Action dropdown, choose Mark
a decision, and the site is configured for
as effective or Mark as ineffective. For a
two levels of control effectiveness. If wait-
vendor- or engagement-level control, you
ing for a supplier's assessment response,
for example, this would not be possible. can specify an expiration date as part of
An expired control review must first be this action.
reopened to make it available for a deci-
To change the expiration date of a
sion.
service-level control, use Action
Change expiration date .
Refer to How to Review a Pending Con-

trol for Effectiveness Using the Control
Details Page (Two Levels) [page 215].
Set the effectiveness level for a control or When the control review is available for From the Action dropdown, choose Set
service a decision, and the site is configured for
effectiveness level. For a vendor- or en-
expanded levels of risk control effective-
gagement-level control, you can specify
ness.
an expiration date as part of this action.
To change the expiration date of a
service-level control, use Action
Change expiration date .
Refer to How to Review and Set the Effec-

tiveness Level for a Risk Control or Serv-
ice (Five Levels) [page 219].

Skip the control review When the control review is available for From the Action dropdown, choose Skip
a decision, and the site is configured to
control review. This displays a dialog
allow skipping a control review.
where you can choose a reason for skip-
ping and optionally attach a supporting
document.
Refer to How to Skip a Control Review

[page 225].
Create an issue for a control or service When the risk control is required in at For a vendor- or engagement-level con-
within a control least one engagement request for the
supplier and the control has a review trol, choose Action Create issue
task, and the site is configured to use to open the Issue definition page. For
issue management projects a service-level control, use the Action
dropdown in the Services detail section
of the page.
Refer to How to Raise an Issue for a Con-

trol-Based Engagement Risk Assessment
or One of Its Risk Controls [page 194].
Create a finding for a control or service When the risk control is required in at For a vendor- or engagement-level con-
within a control least one engagement request for the
trol, choose ActionCreate finding. For
supplier and the control has a review
a service-level control, use the Action
task, and the site is configured to use
findings instead of issues dropdown in the Services detail section
of the page.
Refer to Creating and Managing Findings

[page 303].
Assign or reassign a control review action This option is available when

Choose Action Assign to me to
• The enhancements to engage- assign the review to yourself. Choose
ment task management feature Action Assign action to assign it
(ARI-6919) is enabled back to the decision maker group or to
• The control review is Pending another user in that group.
• It's assigned to you or to a group to Refer to How to Assign or Reassign a

which you belong Control Review or Questionnaire To Do
• You accessed the control from within Task for an Engagement [page 188].
an engagement

Review the control's Residual Risk rating Residual Risk is shown here if: Display of the Residual risk field de-
in the summary area of the page
pends on the residual risk calculation
• Your site is configured to calculate
method.
residual risk by risk domain
• You access this page from the en- • If using the Control Effectiveness
gagement page method: For a control with a re-

view decision, the Residual risk field
• The control has an associated issue,
shows the value resulting from the
finding, or review decision, depend-
combination of the inherent risk of
ing on your site's method of calcu-
the risk domain for this control and
lating residual risk.
the control's effectiveness level.
If you arrive at this page from a page • If using the Issues method: For a
without engagement context, such as the control with at least one associated
controls list page, no Residual risk field is issue or finding, the Residual risk
shown. field shows the highest residual risk
rating for any issue or finding associ-
ated with the control.
• For a control without an issue, find-
ing, or review decision, no Residual
risk can be determined, so the field
does not display.
Vendor- and Engagement-level controls
Multiple tabs allow you to see additional information about a vendor- or engagement-level control..

Tab Description Here you can...
Assessments A list of assessments related to this con-

Click the expand icon ( ) to show:
trol with their expiration dates. A blue dot
next to the assessment name indicates • Date the assessment was last sent,
a new response awaiting a new control and its status
review decision.
• The questions in the assessment
along with the most recent answers
From the top row of expanded question-

naire information, click View more detail
 to navigate to the assessment detail
page.
Skip an assessment by selecting Skip, if

your site is configured to allow this and
the assessment does not already have
a response. If an assessment has been
skipped at least once, choose Skipped
response history to view its history of
skipped responses with relevant com-
ments and any attachments.
Issues or Findings Issues and findings associated with this Click the issue or finding Title link to nav-
control, including the due date, status,
igate to the corresponding detail page.
and assignee for each. The tab's label de-
pends on whether the findings feature is
enabled in your site. If both issues and
findings exist, both are shown.
History Lists the history of decision maker ac- View a history of actions taken for this
tions related to this control, for example: risk control.
• Mark as effective
• Change expiration date
Each history row shows the user who

made the change, date of the action,
and any comments the decision maker
entered.
Engagements (Vendor-level controls Engagements for this supplier that re- Click an ID link to navigate to the engage-
only) quire this risk control. Shows detail such ment page for one of the engagements.
as the Owner, requestor, and current sta-
tus of the engagement.
Service-level controls
For these controls, you see a list of included services followed by information about the control's underlying
assessments.

Table Description Here you can...
Services A list of services for this control. Shows View issues or findings related to a spe-
the current review decision, if there is
cific service, by clicking the link in the
one, and other service-specific details for
Issues or Findings column.
each service.
View engagements to which this serv-
ice applies, by clicking the link in the
Engagement column.
View a history of decision maker actions

related to this service, by clicking the
View history link.
Use Action dropdown options depending

on the status of the control: enter a re-
view decision for this service, or create
an issue or finding for the service.
Assessments A list of assessments related to this con-

Click the expand icon ( ) to show:
trol with their expiration dates. A blue dot
next to the assessment name iindicates • Date the assessment was last sent,
a new response awaiting a new control and its status
review decision.
• The questions in the assessment
along with the most recent answers
From the top row of expanded question-

naire information, click View more detail
 to navigate to the assessment detail
page.
Skip an assessment by selecting Skip, if

your site is configured to allow this and
the assessment does not already have
a response. If an assessment has been
skipped at least once, choose Skipped
response history to view its history of
skipped responses with relevant com-
ments and any attachments.
Related Information

Reopening a Control Review [page 226]

Optional Features for Control-based Engagement Risk Assessments
Creating and Managing Findings [page 303]
How to Change the Expiration Date of a Control Review

Decision
A decision maker can change the expiration date for a control review.
Prerequisites
The control details page, where you change the expiration date, applies only to sites in which periodic review of risk
controls is enabled.
The parameter Enable control review workflow

(Application.SR.Engagement.EnableControlReviewWorkflow) must be set to Yes in your site.
To change the expiration date of a control review, you must be specified as a decision maker for the control in the
control definition master data for your site.
Context
You can change the expiration date for a control review in status Completed, Expiring soon, or Expired.
Procedure
1. Open the control whose expiration date you need to change.
• To open the control from an engagement:

1. Click Engagement Requests on the Supplier Risk dashboard or in a supplier 360° view.
3. In the Risk Controls area, click View for the relevant control.
• To open the control from the controls list page: On the Supplier Risk dashboard, click the Controls tile,
locate the control, and click its name.
• If the control is Expired or Expiring soon, and the action is assigned to you or to a decision maker group to
which you belong, you can open it from the Action queue.
1. On the Supplier Risk dashboard, click the Actions tile.
2. Locate the relevant Control review expiration action and click the link for the name of the control.
The Control details page opens. The top of this page shows the name of the control with a status badge to
the right. The upper portion of the page shows summary information about the risk control. The lower portion

displays further detail (assessments, issues, engagements, history of the control) depending on the type of
control and how you accessed the page. For service-level controls, it lists each of the relevant control services.
2. Depending on the control's status, you may have two options for choosing to change its expiration date.
• If the control is Expired or Expiring soon, a message near the top of the page offers links allowing you to
reopen it or to set a new expiration date. Click the link for set a new expiration date.
• Choose Action Change expiration date .
The Change expiration date dialog opens.

3. Click into the date field or click the calendar icon to select a new date.
4. Enter a Comment explaining your change.
5. Click Update.
The control page refreshes to show the new expiration date.
Related Information
How to Review a Pending Control for Effectiveness Using

the Control Details Page (Two Levels)
As a control decision maker in a site configured with control review workflow and two levels of effectiveness, use
the control details page to review the pending controls assigned to you and mark them as effective or ineffective.
Effectiveness decisions help approvers determine whether or not to approve engagement projects.
Prerequisites
To review a pending control and mark it as effective or ineffective, you must be specified as a decision maker for the
control in the control definition master data in your site.
The control details page applies to sites in which periodic review of risk controls is enabled: the parameter Enable
control review workflow (Application.SR.Engagement.EnableControlReviewWorkflow) is set to Yes. In
sites where that feature is not enabled, decision makers use the Control review page [page 228] instead.
Your site is configured for two levels of control effectiveness: effective

and ineffective. The parameter Expanded levels of risk control effectiveness
(Application.SR.Engagement.ExpandedLevelsOfRiskControlEffectiveness) is set to No.
Context
Pending controls are controls that require review.

In a control-based engagement risk assessment project, each control has one or more assessment questionnaires.
Each assessment questionnaire is a separate modular supplier management questionnaire that might have its own
approval process. You only review a control for effectiveness once all of its associated questionnaires are approved.
A control is pending and requires review
• If the supplier has submitted an initial response to one of its associated questionnaires, or the control includes
internal assessments. This could be true for a new engagement request or when a control is added to an
engagement via change request or a periodic or ad hoc review.
• If the supplier has updated one of the control's underlying assessments. The assessment might have expired,
the buyer might request an update for some other reason, or the supplier might have updated an "always
open" assessment..
• When a decision maker reopens a control review that is Completed, Expiring soon, or Expired.
• For an engagement-level control:
• In each new engagement request
• When a significant change is made via advanced edit, change request, or review.
• For a service-level control: if at least one of its services was not included in a prior review
Reviewing a pending control for effectiveness involves reviewing the answers to the approved questionnaires
and marking the control or services as effective or ineffective based on those answers. Depending on how your
organization sets up and manages risk controls, you might be the decision maker for one or more controls; one
control might use one or more questionnaires; and one or more controls might include the same questionnaires.
A review for a vendor- or service-level control might be pending in multiple engagement risk assessment projects
at the same time. If it is, you can review it from any project where it is pending. Since different engagement risk
assessment projects can have different combinations of services for the same service-level control, however, you
might have to complete a service-level control review in a specific engagement risk assessment project to review all
of its services.
A decision maker for a control needing review can also access it from the Action queue or from the controls list
page [page 206], if the control review workflow feature is enabled.
Your organization might use issues or findings to document the process of arriving at an ineffective decision for a
control. Depending on your site's configuration, if you try to mark a control as ineffective and it does not already
have at least one issue or finding associated with it, you might see a warning, or you might be required to create
one before you can mark thecontrol as ineffective.
Procedure
1. Open the control for review.
• To open the control from an engagement, do one of the following:

• Click the link in the review email notification to open the engagement.
• Click the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, locate
the engagement, and click its name.
In the Risk Controls area, for the control review task you want to complete, click Review.
• To open the control from the engagement task list:
2. Find the relevant control review task and use the Action icon at right to choose View this task or Start
this task.

• To open the control from the Action queue: On the Supplier Risk dashboard, click the Actions tile and
click on the relevant Control review link.
The Control details page opens. The top of this page shows the name of the control with a badge to the right
indicating its status. The upper portion of the page shows summary information about the risk control. The
lower portion displays further detail (assessments, issues, engagements, history of the control) depending
on the type of control and how you accessed the page. For service-level controls, it lists each of the relevant
control services.
 Note
For a service-type control, the list of services may differ depending on how you accessed the control details
page.
• From an engagement: all services for that control that are relevant to that engagement.
• From the controls list page or Action queue: all services for that control.
2. To review the underlying assessments for the control: On the Assessments tab, click the expand icon ( ) to the
left of an assessment name, to see questions and responses.
 Tip
An assessment with a new response shows a blue dot to the left of the questionnaire name.
If your site is configured to allow this and the assessment does not yet have a response, you can choose to Skip
the response. This allows the engagement workflow to move forward without a response to this assessment.
3. (Optional) To create an issue or finding:
• Vendor- or engagement-level controls: Click Create issue or Create finding in the top right corner of the
page.
• Service-level controls: In the row for the specific service to which the issue applies, open the Action
dropdown and choose the Create issue or Create finding option.
 Note
Your site may be configured to require an issue or finding when marking a control or service as Ineffective.
In this case, if no issue or finding currently exists, you must create one before you can proceed.
4. To provide a review decision for a vendor- or engagement-level control::

a. In the top right corner of the page, click Action and choose Mark as effective or Mark as ineffective as
appropriate.
b. (Optional) Enter or change the expiration date for the control.
c. Enter a comment to explain your decision.
d. Click Confirm to confirm your decision.
5. To provide a review decision for a service-level control:
a. In the list of services that the control covers, for each service, click Action and choose Mark as effective or
Mark as ineffective as appropriate.
 Note
If control decision makers are reviewing a control that includes the same service in two different
engagement risk assessment projects, when the decision maker marks the service as effective or

ineffective, both engagement pages show that decision. This is true regardless of how you accessed the
control. Keep in mind, however, the possible differences in the list of controls noted in Step 1.
b. Enter a comment to explain your decision.

c. Click Confirm to confirm your decision.
d. (Optional) Enter or change the expiration date for the control: at upper right, choose Action Change
expiration date .
Results
For engagement- and vendor-level controls, the Review decision field now shows the new decision for this control.
For service-level controls, it shows the status of Completed if all services have effectiveness decisions.
The decision history shows your effectiveness decision and comment.
On the engagement page, the Approval Flow area shows effective controls in green and ineffective controls in
yellow.
After control owners have reviewed all of the pending controls in an engagement risk assessment project and
marked them as effective or ineffective, tasks related to final approval for the engagement start.
If the control is pending in multiple engagement risk assessment projects, those projects update to show the
control effectiveness status and the completed date for the review. In cases where the control review you just
completed was also the final pending control review for another engagement risk assessment project, tasks related
to final approval for that engagement also start.
Next Steps
To re-review a completed control to change your effectiveness decision, first reopen the control review [page 226].
Related Information


How to Review and Set the Effectiveness Level for a Risk
Control or Service (Five Levels)
In a site configured for five levels of control effectiveness, use the control details page to review a pending risk
control assigned to you and set its effectiveness level. These effectiveness decisions help approvers determine the
level of risk this engagement poses to the organization, and whether to approve it.
Prerequisites
To set the effectiveness level for a risk control, you must be specified as a decision maker for the control in the
control definition master data in your site.
Your site must have the control review workflow feature enabled.
Your site must have the expanded levels of risk control effectiveness feature enabled.
Context
A control is pending and requires review:
• If the supplier has submitted an initial response to one of its associated questionnaires, or the control includes
internal assessments. This could be true for a new engagement request or when a control is added to an
engagement via change request or a periodic or ad hoc review.
• If the supplier has updated one of the control's underlying assessments. The assessment might have expired,
open" assessment..
• When a decision maker reopens a control review that is Completed, Expiring soon, or Expired.
Reviewing a pending control for effectiveness involves reviewing the answers to the approved questionnaires and
setting an effectiveness level based on those answers. Depending on how your organization sets up and manages
risk controls, you might be the decision maker for one or more controls; one control might use one or more
questionnaires; and one or more controls might include the same questionnaires.

of its services.
A decision maker for a control needing review can also access it from the Action queue or from the controls list
page [page 206].
Your organization might use issues or findings to document the process of arriving at an ineffective decision for a
control. Depending on your site's configuration, if you try to mark a control as Completely ineffective and it does
not already have at least one issue or finding associated with it, you might see a warning, or you might be required
to create one before you can mark the risk control as Completely ineffective.
Procedure

In the Risk Controls area, for the control review task you want to complete, click Review.
this task.
• To open the control from the Action queue: On the Supplier Risk dashboard, click the Actions tile and
click on the relevant Control review link.
control services.
 Note
page.
 Tip
An assessment with a new response shows a blue dot to the left of the questionnaire name.

If your site is configured to allow this and the assessment does not yet have a response, you can choose to Skip
the response. This allows the engagement workflow to move forward without a response to this assessment.
3. (Optional) To create an issue or finding for the control:
• Vendor- or engagement-level controls: Click Create issue or Create finding in the top right corner of the
page.
• Service-level controls: In the row for the specific service to which the issue or finding applies, open the
Action dropdown and choose the Create issue or Create finding option.
 Note
Your site may be configured to require an issue or finding when marking a control or service as Completely
ineffective. In this case, if no issue or finding currently exists, you must create one before you can proceed.
4. To set the effectiveness level for a control review decision for a vendor- or engagement-level control:
a. In the top right corner of the page, click Action and choose Set effectiveness level.
b. Choose one of the options for the effectiveness level.
 Note
If your organization requires at least one issue for controls that are marked as Completely ineffective:
if you select that option and the control doesn't already have an issue, you must create one now, before
you can proceed. Choose Create issue; submitting the issue will bring you back here to finish.
c. (Optional) Enter or change the Expiration date for the control.

d. Enter a comment with additional information.
e. Choose Confirm to save your choice.
5. To set the effectiveness level for a control review decision for a service-level control::
a. In the list of services that the control covers, for each service, click Action and choose Set effectiveness
level.
 Note
engagement risk assessment projects, when the decision maker chooses an effectiveness level, both
engagement pages show that decision. This is true regardless of how you accessed the control. Keep in
mind, however, the possible differences in the list of controls noted in Step 1.
b. Choose one of the options for the effectiveness level.
 Note
If your organization requires at least one issue for controls that are marked as Completely ineffective:
if you select that option and the service doesn't already have an issue, you must create one now, before
you can proceed. Choose Create issue; submitting the issue will bring you back here to finish.
c. Enter a comment with additional information.

d. Choose Confirm to save your choice.
e. (Optional) Enter or change the expiration date for the control: at upper right, choose Action Change
expiration date .

Results
For engagement- and vendor-level controls, the Review decision field now shows the new decision for this control.
For service-level controls, it shows the status of Completed if all services have effectiveness decisions.
The decision history shows your effectiveness decision and comment.
After control owners have reviewed all of the pending controls in an engagement risk assessment project and either
set an effectiveness level for or (if this feature is enabled) skipped them, tasks related to final approval for the
engagement start.
If the control is pending in multiple engagement risk assessment projects, those projects update to show the
control effectiveness status and the completed date for the review. In cases where the control review you just
completed was also the final pending control review for another engagement risk assessment project, tasks related
to final approval for that engagement also start.
Next Steps
To re-review a completed control to change your effectiveness decision, first reopen the control review [page 226].
Related Information

Skipping an Assessment Response

If a response to a specific assessment is not needed in order to make an effectiveness decision for the
corresponding risk control, the decision maker can skip it. This allows the decision maker to complete the control
review task without waiting for a reply from the supplier or internal respondent.
Prerequisites
To skip an assessment response, you must be specified as a decision maker for the control in the control definition
master data for your site.
The assessment must be awaiting a response.
The ability to skip an assessment response applies to sites in which this feature is enabled. An
administrator must set the parameters Allow decision maker to skip an assessment response

(Application.SR.Engagement.AllowSkipAssessmentResponse) and Enable control review workflow
(Application.SR.Engagement.EnableControlReviewWorkflow) to Yes.
Context
You can skip an assessment response from the control details page.
Procedure
1. Access the control from the engagement, engagement task list, controls list page, or Action queue.
2. On the control details page, navigate to the Assessments tab (for a vendor- or engagement-level control) or
scroll down to the Assessments area (for a service-level control). A Skip button displays for any assessment
waiting for a response.
 Note
If the assessment is set up for imported responses, you cannot skip it. In this case, the Skip button does
not display.
3. To the right of the assessment name, click Skip. This displays the Skip assessment response dialog.
4. Enter a Comment with additional information.
5. (Optional) Click Browse to find and attach a document supporting your decision to skip this assessment
response.
6. (Optional) You may want to use Action Change expiration date to set an expiration date for the
corresponding risk control. A skipped assessment has no expiration date to use as a default for the control's
expiration date.
Results
Skipping an assessment response is treated the same as receiving a response, in terms of completing the
prerequisites to starting the control review task. For example, if all other underlying assessments for this risk
control have responses, and then this last one is skipped, the next phase of the engagement request workflow can
start.
The assessment's Skipped response history link shows a record of the activity and a link to any attached
document.
Members of the Project owner project group receive the Project state update notification. A skipped assessment
is treated as canceled so the notification indicates the questionnaire has been canceled.
If the modular questionnaire is defined to be Always open, skipping the assessment overrides this definition. The
assessment is Canceled.
Engagement page: The skipped assessment displays in the Risk assessments area with a Status of Skipped.

Supplier 360° profile: Because it is now Canceled, the skipped assessment no longer displays in the
Questionnaires area of the supplier 360° profile.
Next Steps
You can re-request a skipped assessment response by reopening the corresponding risk control, and choosing to
resend all assessments as part of that process. The recipient can then respond to the assessment, or the decision
maker can once again skip the assessment response.
 Note
When reopening a control with a skipped assessment, the parameter Reuse respondent answers when
resending assessments (Application.SR.Engagement.ReuseAnswersWhenResendingAssessments)
does not influence the behavior for the skipped assessment. There are no prior answers to reuse because
the assessment was skipped.
You cannot use Request Update to request an updated response because a canceled assessment has no
questionnaire details page.
 Note
After a control review or an assessment response has been skipped, a new engagement activity, such as a
change request or a new engagement request, might require the same control and assessment for this supplier.
The reuse behavior for the new engagement activity depends on their previous statuses. The table below shows
several examples of control and assessment statuses before and the results after sending assessments for the
new activity.
Control (Before) Assessment (Before) Reuse Behavior Control (After) Assessment (After)
Skipped Approved The control reopens. Pending Approved
Skipped Skipped Both control and as- Pending Not responded

sessment reopen.
Effective Skipped The existing review de- Effective Skipped

cision applies to the
new activity; the con-
trol does not reopen
and the assessment
remains Skipped.

How to Skip a Control Review
When it's not possible to judge the effectiveness of a control based on the available evidence, a decision maker
can skip the control review. This allows the control review task to complete without the decision maker setting an
effectiveness level.
Prerequisites
To skip a control review, you must be specified as a decision maker for the control in the control definition master
data for your site.
The ability to skip a control review applies to sites in which this feature is enabled.
An administrator must set the parameters Allow no-effectiveness option for control review
(Application.SR.Engagement.AllowNoEffectivenessOptionForControlReview) and Enable control
review workflow (Application.SR.Engagement.EnableControlReviewWorkflow) to Yes.
Context
You can skip a control review in any situation when entering a decision is an option.
Procedure
1. Access the control from the engagement, engagement task list, controls list page, or Action queue.
2. To skip a control review decision for a vendor- or engagement-level control::
a. In the top right corner of the page, click Action and choose Skip control review.
b. Use the dropdown to select a Reason for your decision.
d. For Review again? choose Yes or No, indicating whether a decision maker should re-review the skipped
control review in the future.
• If Yes, enter a date for Expires on. This expiration date triggers a Control review expiration action on
the Action queue when the skipped control review expires or is approaching expiration.
• If No, the skipped control review does not expire, so the Expires on date field is not shown.
e. (Optional) Click Browse to find and attach a document supporting your decision to skip this control review.
3. To skip a control review decision for a service-level control::
a. For the service whose control review you want to skip, choose Action Skip control review .
 Note
engagement risk assessment projects, when the decision maker skips the control review for the

service, both engagement pages show the control review decision for the service as Skipped. This
is true regardless of how you accessed the control.
b. Use the dropdown to select a Reason for your decision.

d. (Optional) Click Browse to find and attach a document supporting your decision to skip this control review.
 Tip
There is no option to mark the skipped control review for a service as not requiring re-review. To change
the expiration date for a service-level control, choose Action Change expiration date at the control
level.
Results
The control's History tab shows a record of the activity and a link to any attached document.
The skipped control review displays in the Risk controls areas of the supplier 360° profile and the engagement
page with a Status of Skipped.
Skipping a control review is treated as completing the control review task, in the same way as setting an
effectiveness level. For example, if the control review just skipped represents the last required control review for an
engagement request, the next phase of the engagement request workflow can start.
If the skipped control review has an expiration date, the Action queue calls attention to its expiration in the same
way that other control review decisions expire. A Control review expiration action appears on the Action queue
when the skipped control review decision is Expiring soon or Expired. The decision maker can then reopen the
control review and either set an effectiveness level or once again skip the control review.
Reopening a Control Review
When the effectiveness status of a control or service is no longer applicable, reopen the control review to make it
available for a new decision. This process can optionally include resending all assessments.
Prerequisites
To reopen a control review, you must be specified as a decision maker for the control in the control definition
master data for your site.
The control details page and the reopening process apply to sites in which periodic review of risk controls is
enabled. In sites where that feature is not enabled, decision makers instead use the control review page [page 232]
to change review decisions.

Context
Reopen the review of a control for a supplier when its status is
• Expired: the control review is beyond its expiration date. A control's expiration date defaults to the earliest
expiration date amongst its underlying assessments.
• Expiring soon: it is within a configured number of days of its expiration date. Find this configuration settng on
the Control review tab of the Configure periodic reviews page.
• Complete: for another reason, you need to revisit the effectiveness decision, based on the existing evidence or
by collecting new evidence.
When reopening a control, you can optionally resend all assessments. You might want to do this if at least one of
the assessments has expired, but you can also resend even if none of them has.
Depending on its status, you can access the control from
• The controls list page

• (Engagement-level controls) The engagement where the control's review decision needs to be updated
• (Vendor- or service-level controls) Any engagement where it is required.
 Remember
page:
• The Action queue, if the control is Expired or Expiring soon and the Control review expiration action is
assigned to you or to a decision maker group to which you belong
Procedure
1. Access the control you need to reopen, from:
• An engagement:
1. Click Engagement Requests on the Supplier Risk dashboard or in a supplier 360° view.
3. In the Risk Controls area, for the control you want to reopen, click View.
• The controls list page: On the Supplier Risk dashboard, click the Controls tile, locate the control, and
click its name.
• The Action queue:
1. On the Supplier Risk dashboard, click the Actions tile.
2. Locate the relevant Control review expiration action and click the link for the name of the control.
control services.

3. Reopen the control review. Options depend on its status.
• If the control is Expired or Expiring soon, a message near the top of the page offers links allowing you to
reopen it or to set a new expiration date. Click the reopen link.
• Choose Action Reopen control review .
The Reopen control review dialog opens.

4. Choose an option from the dropdown to indicate your Reason for reopening the control review. You can also
enter a Comment.
5. Optionally, you can choose to Resend all assessments.
6. Click Reopen.
• If you are not resending assessments, reopening changes the control's status to Pending, ready for a new
effectiveness decision.
• If you checked Resend all assessments, the control's status changes to Waiting for response. Once all
assessments for the control have new responses, the control becomes Pending.
• An assessment might be set up to import responses. When you "resend" such an assessment, you are
requesting to import the supplier's current response.
Related Information

How to Review a Pending Control for Effectiveness Using

the Control Review Page
As a control decision maker in a site configured without periodic review of risk controls, use the control review
page to review the pending controls assigned to you and mark them as effective or ineffective. These effectiveness
decisions help approvers determine whether or not to approve engagement projects.
Prerequisites
To review a pending control and mark it as effective or ineffective, you must be specified as a decision maker for the
control in the control definition master data in your site.
The control review page applies specifically to sites in which periodic review of risk controls is not enabled. In sites
where that feature is enabled, decision makers use the control details page [page 215] instead.

Context
A control is pending and requires review if
• The supplier has submitted initial responses to its associated questionnaires, or the control includes internal
assessments. This could be true for a new engagement request or when a control is added to an engagement
via change request or a periodic or ad hoc review.
• The supplier has updated one of the control's underlying assessments. The assessment might have expired,
open" assessment..
Reviewing a pending control for effectiveness involves reviewing the answers to the approved questionnaires
and marking the control or services as effective or ineffective based on those answers. Depending on how your
organization sets up and manages risk controls, you might be the decision maker for one or more controls; one
control might use one or more questionnaires; and one or more controls might include the same questionnaires.
of its services.
Your organization might use issues to document the process of arriving at an ineffective decision for a control.
Depending on your site's configuration, if you try to mark a control as ineffective and it does not already have at
least one issue associated with it, you might see a warning, or you might be required to create an issue for the
control before you can mark it as ineffective.
Procedure

Open the control:
• In the Tasks area, click Start next to the control review task you want to complete
• In the Risk controls area, click Review next to the appropriate control

this task.
The Control review page opens. This page, labeled Control review at the top, shows information about the
risk control and the associated approved assessment questionnaires submitted for the engagement's supplier.
For service-level controls, it lists each of the control services that are included in the current engagement risk
assessment project.
2. Click Review to the right of any assessment questionnaire to view its answers.
 Note
An assessment for which the status was imported does not show a Review button because the underlying
assessment is not stored in SAP Ariba Supplier Risk.
3. (Optional) To create an issue for the control:

• Vendor- or engagement-level controls: Click Create issue in the top right corner of the page.
• Service-level controls: In the row for the specific service to which the issue applies, click Create issue.
Clicking Submit or Cancel on the Create issue page returns you to this page.
4. To provide a review decision for a vendor- or engagement-level control:
a. In the top right corner of the page, click Effective or Ineffective as appropriate.
 Note
If your organization requires at least one issue for controls that are marked as Ineffective: if you select
that option and the control doesn't already have an issue, you must create one now, before you can
proceed. Choose Create issue; submitting the issue will bring you back here to finish.
b. (Optional) Enter a comment to explain your decision.

c. Click Yes to confirm your decision.
5. To provide a review decision for a service-level control:
a. In the list of services that the control covers, for each service, click Effective or Ineffective as appropriate.
 Note
If your organization requires at least one issue for controls that are marked as Ineffective: if you select
that option and the control doesn't already have an issue, you must create one now, before you can
proceed. Choose Create issue; submitting the issue will bring you back here to finish.
b. (Optional) Enter a comment to explain your decision.

c. Click Yes to confirm your decision.
d. Repeat these steps to review each service that requires a review in the current engagement.
e. After you have reviewed all services for the current control review, click Complete Review.
 Note
A service-level control review is not complete until you click Complete Review. You can change any
decisions from the current control review until you complete the review, at which point the decisions
are final. If control decision makers are reviewing a control that includes the same service in two
different engagement risk assessment projects, when the decision maker marks the service as effective or

ineffective in one control review, the other control review page shows that decision. However, the decision
maker for the second review must still click Mark Complete to complete the review.
Results
The control you reviewed now has a status of Completed. The decision history shows your effectiveness decision
and comment.
On the engagement page, the Approval Flow area shows effective controls in green and ineffective controls in
yellow. For service-level controls, if you marked at least one of the services as ineffective, the overall control shows
as ineffective.
After control owners have reviewed all of the pending controls in an engagement risk assessment project and
marked them as effective or ineffective, tasks related to final approval for the engagement start.
If the control is also pending in any other engagement risk assessment projects, those projects update to show the
control effective status and the completed date for the review. In cases where the control review you just completed
was also the final pending control review for another engagement risk assessment project, tasks related to final
approval for that engagement also start.
Next Steps
You can edit the comment for the most recent effectiveness decision on a control. On the engagement page, click
View to view the control review, then click Edit Comment next to the comment.
You can also re-review a completed control to change your effectiveness decision [page 232].
Related Information

How to Re-Review a Completed Control and Change Its Effectiveness Status Using the Control Review Page [page
232]

How to Re-Review a Completed Control and Change Its
Effectiveness Status Using the Control Review Page
When the effectiveness status of a control or service is no longer applicable, a control decision maker in a site
configured without periodic review of risk controls uses the control review page to re-review the control and change
the effectiveness decision.
Prerequisites
To re-review a control and change its effectiveness status, you must be specified as a decision maker for the control
in the control definition master data for your site.
You can re-review a completed control in any engagement risk assessment project that uses the control.
The control review page applies specifically to sites in which periodic review of risk controls is not enabled. In
sites where that feature is enabled, the decision maker instead reopens the control review [page 226] to allow for
changing the decision.
Context
Re-reviewing a control for effectiveness involves reviewing the answers to the approved questionnaires and the
current effectiveness status and, if necessary, changing the status.
A completed vendor- or service-level control might be required in more than one engagement risk assessment
project. If it is, you can re-review it from any project where it is required. Since different engagement risk
might have to re-review a service-level control in a specific engagement risk assessment project to re-review a
particular service.
Procedure
1. Click the Engagement requests tile on the Supplier Risk dashboard, locate an engagement that uses the
completed control, and click its name.
 Tip
You can run the Risk Control Summary report to see which engagement risk assessment projects use
specific controls.
2. Click View for a specific control in the Risk controls area of the engagement page.
The Control review page opens. This page, labeled Control review at the top, shows information about the
risk control and the associated approved assessment questionnaires submitted for the engagement's supplier.
For service-level controls, it lists each of the control services that are included in the current engagement risk
assessment project.

3. Click Review to the right of any assessment questionnaire to view its answers.
 Note
An assessment for which the status was imported does not show a Review button because the underlying
assessment is not stored in SAP Ariba Supplier Risk.
4. To change the effectiveness decision for an engagement- or vendor-level control:

a. (Optional) Review the effectiveness decision history for the control, including comments left by previous
reviewers. The History table only shows for controls that have been re-reviewed at least once.
b. In the upper right corner of the page, click Change status.
 Note
If changing from Effective to Ineffective, remember to create an issue if the control doesn't already
have one and your organization requires this. Choose Create issue; submitting the issue will bring you
back here to finish.
c. (Optional) Enter a comment to explain your decision.

d. Click Yes to confirm your decision.
5. To change the effectiveness decision for a service-level control:
a. (Optional) In the list of engagement services reviewed for the control, click History to view the
effectiveness decision history for the service, including comments left by previous reviewers. The History
button only shows for services that have been re-reviewed at least once.
b. In the list of engagement services reviewed for the control, click Change status.
 Note
If changing from Effective to Ineffective, remember to create an issue if the service doesn't already
have one and your organization requires this. Choose Create issue; submitting the issue will bring you
back here to finish.
c. (Optional) Enter a comment to explain your decision.

d. Click Yes to confirm your decision.
e. Repeat these steps for each service in the control that you want to re-review.
Results
The control shows the updated Effective or Ineffective status in each engagement risk assessment project where
it is required. The decision history includes the latest effectiveness decision.
Related Information


Topics About Processing an Engagement Change

Request
About Opening an Engagement for Which a Change Request Is in Progress [page 234]
How to Change a Live Engagement Request by Processing a Change Request [page 235]
How to Edit an Engagement Change Request [page 238]
About Editing a Previously Submitted Change Request [page 240]
How to Approve or Deny a Change Request (Initial) [page 243]
How to Approve or Deny a Change Request with Significant Changes (Final) [page 245]
How to Cancel a Submitted Change Request [page 246]
How to Revert a Draft Change Request [page 248]
About Opening an Engagement for Which a Change Request

Is in Progress
Depending on the status of the engagement and your user permissions, the Ongoing change request dialog offers
appropriate navigation choices.
If an engagement is undergoing change request, your choice to open the engagement may trigger a navigation
choice depending on your role and permissions in the engagement.
An engagement with a change request in process is listed in the Completed area of the engagements dashboard
and has a status of Change request: [status]. When, as a user with some authorization to view or work with the
engagement, you click on the name link, the result depends on the state of the change request (in draft or already
submitted) and your global and engagement-specific permissions.
If the change request is in Draft status, the engagement's status shows as Change Request: Draft.
• The creator or the on behalf of user for the change request can re-open it. These users see a dialog where they
can choose to continue editing the draft change request, or open the summary page for the live engagement, in
view-only mode.
• Other users land on a view-only engagement summary page. An indicator at the top of the page notes that a
change request is in process.
If the change request has already been submitted, its status shows as Change Request: [phase name] - In
Progress . In this case, all users see a choice dialog. You can navigate to the ongoing Change Request or the
current Live Version of the engagement.
• Choosing Change Request brings up the engagement page with the indicator Change Request in Progress
displayed at the top. Actions you can take on this page depend on your permissions and role in the
engagement.

• Choosing Live Version displays the current live version of the engagement. Because there is a change request
in progress, this page is view-only for all users.
If a submitted change request is currently being edited, the engagement's status shows as Change Request: In
Edit.
• The original editor of the change request can re-open it. These users see a dialog where they can choose to
continue editing the change request, or open the engagement page for the currently active change request.
Possible actions depend on the user's permissions and role in the engagement.
 Tip
The editor can also access the live version of the engagement:
1. Choose the option to view the current active change request.
2. From the engagement page, click the View history link. The version history includes a link to the live
version of the engagement.
• Other users see a choice between navigating to the Change Request or the Live Version.
• Choosing Change Request brings up the engagement page with the indicator Change Request in
Progress displayed at the top. While the change request is In Edit, due diligence activities associated with
the change request workflow can continue. Actions you can take on this page depend on your permissions
and role in the engagement.
• Choosing Live Version displays the current live version of the engagement. Because there is a change
request in progress, this page is view-only for all users.
How to Change a Live Engagement Request by Processing a

Change Request
An engagement project owner can initiate a change request to document and seek approval for adjustments to a
live engagement request.
Prerequisites
You have configured a change request workflow in the Supplier Risk Engagement Template as described in Optional
Features for Control-based Engagement Risk Assessments and Phases and Tasks for Control-Based Engagement
Risk Assessment Projects in Setting Up SAP Ariba Supplier Risk.
You can create a change request if:
• You are a member of the Project Owner project group, and you belong to the Supplier Risk Engagement
Requester user group.
• The engagement project you want to change is in Completed status, meaning all required due diligence and
approvals were completed successfully.
• If an earlier change request was canceled, the engagement is shown on the Completed list. Such an
engagement is eligible for a new change request.
• If the engagement has a change request that was Denied, the engagement is shown on the Completed list
with a status like Change Request: [phase name] - Denied. In this case you can

• Open the approval task that was denied, and resubmit it.
• Cancel the denied change request. This moves the engagement back to status Completed. You can
then start a new change request.
Context
Change request workflow mirrors similar phases of the engagement request process.
• To change an engagement request before final approval, use the editing process ( Action Edit request ).
• To change a live engagement project (a project from the Completed list on the engagements dashboard), use
the change request process ( Action Change request ).
The following steps assume that a change request is not already in progress.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the
Completed tile, locate the engagement, and click its name.
2. In the upper right corner of the engagement page, choose Action Change request .
3. A confirmation message requires entry of Reason text. Optionally you can also specify another user on whose
behalf you are creating the change request. Then choose OK to continue. Both the creator and any on behalf
of user are added to the Change Request Owners project group.
4. The change request editing pages allow you to request changes to attributes, business details, or screening
question responses for the engagement project. Use the Next and Back buttons to navigate to different steps
of the change request and edit information as needed.
• The supplier selection page is displayed, but you cannot use a change request to change the supplier for a
live engagement.
• Each section of the Review Request page highlights additions and changes.
5. If you need to exit a change request before submitting it, you can:
• Choose Save at any point to save your changes without submitting. The request is included in the
engagement request Completed tile, with status Change Request: Draft. The creator or the on behalf
of user for the change request can re-open it, with a choice to continue editing the change request or to
open the engagement summary page for the live version of the engagement.
• Choose Revert Change to delete the change request and undo all changes associated with it. If you click
OK to the confirmation message, the engagement request reverts to the current live version, its state
before the change request was started.

Results
When the change request is submitted:
• If there are significant changes, the change request initial approval and change request final approval phases
are activated.
• If there are no significant changes, but some changes are insignificant requiring approval, only the change
request initial approval phase is activated.
• If the only changes are insignificant:
• If the change request was previously denied, the change request initial approval task is reactivated.
• If this is not a resubmit of a denied change request, the change request is automatically approved. This
triggers creation of a new version of the live engagement project, incorporating the changes.
Depending on the changes and your organization's control-based engagement risk assessment process,
appropriate downstream tasks are activated and corresponding notifications are sent. For details of results when
an approval task is approved or denied, see How to Approve or Deny a Change Request (Initial) [page 243] or How
to Approve or Deny a Change Request with Significant Changes (Final) [page 245].
Issues created during the change request lifecycle are associated with the engagement or the control for which
they are created.
 Note
While a change request is in progress, analytical reports will continue to show data from the current live version
of the engagement. When the change request completes, new data is then available for reporting. For more
information, see Analytical Reporting for Control-Based Engagement Risk Assessment Projects [page 275].
Related Information

How to Edit an Engagement Change Request
A member of the Change Request Owners project group can edit an ongoing (submitted) change request to add
or change details.
Prerequisites
The self-service parameter Enable editing of in-progress change requests

(Application.SR.Engagement.AllowChangeRequestEdit) must be set to Yes.
To start an edit of an engagement change request:
• You must be a member of the Change Request Owners project group and of the Supplier Risk Engagement
Requestor user group.
• There must be a change request in progress for the engagement request.
• The change request must not be in Draft status; in this case the engagement status would be Change
Request: Draft. A draft change request can be changed, but only by its original creator or by the on behalf
of user, if one was specified.
• When a change request is in progress, the status of the engagement is like Change Request: [phase name]
- In Progress.
• The engagement must not be in Change Request: In Edit status with a different user. If a change request edit
was saved during the edit process, editing of that change request can only be continued by the original editor.
Context
You can edit an engagement change request at any point before completion, including change requests that were
denied.
The engagement request changes to status Change Request: In Edit until the edit is submitted. While a request is
in Change Request: In Edit status:

• Evidence collection and control review tasks for the change request can proceed.
Procedure
1. Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view. In the
2. The Ongoing Change Request dialog offers a choice between navigating to the Change Request or to the
summary page for the current Live Version of the engagement. Choose Change Request.
3. In the upper right corner of the engagement page, choose Action Edit change request . A confirmation
message lists general rules of the editing process, and requires entry of Reason text to continue.

 Note
If a change request edit is already in progress, the Edit change request option is disabled.
4. Use the Next and Back buttons to navigate to different steps of the request and edit information as needed.
When editing a previously submitted change request:
removed. When you click Next, changes are saved and the number of controls added and removed is noted
on the supplier selection page.
• You cannot change the supplier as part of a change request or an edit to a change request. Click Review
request to move on to the Review Request page.
5. If you need to exit an In Edit change request without submitting it, you can:
• Choose Save at any point to save your changes without submitting. The request is included in the list of
Completed engagement requests, with status Change Request: In Edit.
• The original editor of the change request can return to Step 1 and re-open the engagement, choosing
the option to continue editing.
• Other authorized users can view an engagement whose status is Change Request: In Edit, and
complete tasks other than Send Assessments in the change request due diligence workflow, but they
cannot take over the editing.
• Choose Revert edit to undo all edits made while this request has been in Change Request: In Edit status.
If you click OK to the confirmation message, the change request reverts to its pre-edit state.
 Caution
After submitting a change request edit, there is no option to roll back to an earlier version of the change
request.
Results
Submitting the edited change request may trigger adjustments to the approval phases, tasks, assessments, and
controls. This depends on a comparison of the changes between the live version of the engagement, the pre-edit
change request, and the edited change request.
The final version of the change request, the version that is ultimately completed, is tracked in the version history
[page 130]. Individual instances of editing a change request are not tracked in the history.
Related Information

117]
About Editing a Previously Submitted Change Request
An ongoing change request can be edited by one user at a time. The significance of the changes, evaluated when
you submit the edit, determines whether further downstream activities such as sending assessments or reviewing
additional risk controls are required.
This topic applies only to sites configured for editing of in-progress change requests.
Working with a Change Request That Is Currently Being Edited
The following table summarizes actions users can take for a change request while its status is Change Request:
In Edit. Generally, all existing tasks associated with the change request can continue, with the exception that
assessments cannot be sent.
Other Assigned User with Permis-

Action Editor of the Request sions
Save during edit  Not applicable - only one editor
Reopen a saved In Edit request for further editing Only the original editor can continue

the edit. Upon clicking the engage-
Upon opening, the editor can choose ment name, these users can navi-
to gate to
• Continue editing the change re-

• The active engagement page
for the pre-edit change request,
quest
where most activities can con-
• Open the active engagement
tinue
page for the pre-edit change re-
quest, where most activities can
• The current live version of the
engagement, in view-only mode.
continue
Send assessments No user can send assessments while a change request is being edited
Complete approval tasks assigned to this user  
Complete internal assessments assigned to this  

user that were sent before the change request
was opened for editing
Complete control review tasks assigned to this  

user

Significance of Changes
When you submit an edit to a change request, the proposed changes are evaluated for significance. The result of
this evaluation affects the downstream due diligence tasks for the change request.
• A change request has significant changes when they result in the addition of one or more controls.
• If you change the response for an attribute or question defined in the project template with the supplier field
mapping project.reapprove, this change is considered insignificant requiring approval.
• Removal of a control can be considered significant or insignificant requiring approval,
depending on the setting for the parameter Treat control removal as a significant change
(Application.SR.Engagement.TreatControlRemovalAsSignificant) [page 404].
• Changes to the request are considered insignificant when they do not result in addition or removal of controls.
• If a new commodity was added, triggering re-review for a service-type control specifically for this new service:
this is not the addition of a control and thus is not considered a significant change. The new service alone does
not re-trigger the approval task.
Submitting the edited change request may trigger adjustments to the approval phases, tasks, assessments, and
controls. This depends on a comparison of the changes between the live version of the engagement, the pre-edit
change request, and the edited change request.
• If the net changes are significant, all approval tasks for the change request are reactivated.
• If the net changes are insignificant requiring approval, the Change Request Initial Approval phase is
reactivated. Which tasks within that phase are reactivated depends on the setting for the parameter Reopen all
initial approval phase tasks for insignificant changes requiring approval
RequiringApproval) [page 394].
• If the net changes are insignificant:
• If the change request was previously denied, all approval tasks are reactivated.
• Otherwise, approval tasks are not reactivated.

 Example
Net
Change
from Live
Version to
Edited Overall Sig-
Edit to the Change Re- Change Re- nificance of
Original Change Request quest quest the Edit Result
Adds two controls Removes the two added Insignifi- Insignifi- Change request initial approval phase:
(significant). User sub- controls, and the parame- cant requir- cant requir-
reopened
mits the change request: ter Treat control removal ing appro- ing appro-
change request initial as a significant change is val val
 Tip
and final approval phases False; makes a change to
open. New assessments an attribute defined with Which tasks open within this phase
sent, responded to, the supplier field mapping
depends on the setting for the pa-
some control reviews project.reapprove
rameter Reopen all initial approval
completed.
phase tasks for insignificant
changes requiring approval
(Application.SR.Engageme
nt.ReopenAllInitialAppro
valPhase
TasksForInsignificantCha
ngesRequiringApproval).
Change request final approval phase:

withdrawn
Corresponding notifications sent
Adds two controls Changes an attribute Significant Insignifi- Change request was already approved
(significant). User sub- defined with the sup- cant requir-
with the added controls, so the net edit
mits the change re- plier field mapping ing appro-
here is insignificant requiring appro-
quest: change request in- project.reapprove val
itial and final approval (Insignificant requiring val: initial approval phase reopens.
phases open. Initial ap- approval)
Send assessments task is not reop-
proval completed, new
ened: the original change request had
assessments sent and re-
sponded to, some control already passed that step, and the edit to
reviews completed. the change request is not adding con-
trols, so there are no new assessments
to send.
Corresponding notifications sent.

How to Approve or Deny a Change Request (Initial)
Initial approval of a change request for a control-based engagement risk assessment project triggers any needed
due diligence tasks. If there are no changes requiring approval, the net result is simply a new live version of the
engagement project.
Context
A change request requires initial approval when
• it has significant changes: for example, the changes cause controls to be added.
• there are no significant changes but there are changes defined as insignificant requiring approval: for
example, a change to at least one question or attribute defined on the Supplier Risk Engagement Template
with the supplier field mapping project.reapprove.
Changes that cause removal of a control can be treated as significant or as insignificant

requiring approval. Use the parameter Treat control removal as a significant change
(Application.SR.Engagement.TreatControlRemovalAsSignificant) to define this behavior for your site.
Once a requester submits a change request requiring approval, an approver can evaluate it and provide a decision.
If you believe that a change request requires further investigation or mitigation, then instead of denying it, there is
also the option of approving it but raising an issue for it.
If a change request is canceled, existing issues for the engagement or a control remain in place; they are not
reverted when the change request is canceled.
Procedure
• Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the
offer a choice between navigating to the Change Request or to the engagement summary page for the current
Live Version of the engagement. In this case, choose Change Request.
3. In the Request Details area, review the answers to the business details questionnaire and the inherent risk
screening questionnaire for the change request.
4. In the Pending Tasks list, for the change request initial approval task, click Approve/Deny.

6. Enter a comment to the requester explaining your reasons and click Confirm.

Results
If you are the final approver and you approve the change request:
• If the change request will result in added controls, appropriate due diligence tasks are enabled: for example,
to send newly required assessments for which this supplier has no unexpired responses, according to the
workflow defined in the Supplier Risk Engagement Template.
 Example
A new control may require an assessment to which this supplier has not already replied. In that case,
the send assessments task would be reactivated, followed by the evidence collection and then the control
review phases. Completion of the control review phase then triggers the change request final approval task.
• If there are no significant changes, but there are changes defined as insignificant requiring approval, then the
change request initial approval phase is the only required approval. Completion of this approval is the end of
the change request workflow, resulting in a new version of the engagement project, incorporating the changes.
If you deny the change request, it moves to Denied status.
Next Steps
If the change request is denied, and you are either an approver or a member of the Supplier Risk Engagement
Governance Analyst group, you can resubmit the approval. Resubmitting the approval restarts the approval flow
from the beginning so that approvers can make a different decision. To resubmit the approval, on the engagement
page, click View to open the approval task details page, then click Resubmit.
To view the history of activity on this engagement project, you can open the engagement page and click the View
history link below the Live Engagement Request Version field.
Related Information
How to Approve or Deny a Change Request with Significant Changes (Final) [page 245]

How to Approve or Deny a Change Request with Significant
Changes (Final)
If you are in the approval flow for a change request in a control-based engagement risk assessment project, and the
change request requires final approval of significant changes, you can approve or deny it.
Context
A change request requires final approval when it includes significant changes.
Initial approval of the change request triggers any required due diligence tasks. Once control decision makers have
reviewed any open controls associated with it, the change request is in In Progress status for the change request
final approval phase.
The Approval Flow area of the engagement page includes decision nodes for all of its control reviews.
If a control is marked ineffective, the control decision maker might have raised an issue for it. You can review any
issues raised for the change request and their resolutions in the Risk Issues area. Depending on your organization's
standards and processes, you might approve a change request with one or more ineffective controls if it merits an
exception or has a related issue that is resolved to your satisfaction.
Procedure
• Click the Engagement Requests link on the Supplier Risk dashboard or in a supplier 360° view, click the
offer a choice between navigating to the Change Request or to the engagement summary page for the current
Live Version of the engagement request. In this case, choose Change Request.
3. In the Request Details area, review the answers to the business details questionnaire and the inherent risk
screening questionnaire in the request.
4. In the Pending Tasks list, for the change request final approval task, click Approve/Deny.

6. Enter a comment to the requester explaining your reasons and click Confirm.

Results
If all of the approvers approve the change request and there are no more tasks in the change request final approval
phase, the change request is now complete. Approval triggers creation of a new live version of the engagement,
incorporating the changes proposed in the change request. The new engagement version is in status Completed.
If an approver denies the change request, the engagement moves to Denied status.
Next Steps
If the change request is denied but the change request approval phase includes tasks that have not yet been
completed, and you are either an approver or a member of the Supplier Risk Engagement Governance Analyst
group, you can resubmit the approval. Resubmitting the approval restarts the approval flow from the beginning so
that approvers can make a different decision. To resubmit the approval, on the engagement page, click View to
open the change request approval task details page, then click Resubmit.
To view the history of activity on this engagement project, you can open the engagement page and click the View
history link below the Live Engagement Request Version field.
Related Information
How to Approve or Deny a Change Request (Initial) [page 243]
How to Cancel a Submitted Change Request
If a change request in progress is no longer needed, an authorized user can cancel it. This also withdraws any due
diligence tasks associated with the canceled change request that are not needed for other projects.
Prerequisites
To cancel a change request, you must be one of the following:
• A member of the Change Request Owners project group and of the Supplier Risk Engagement Requestor
user group
• A member of the Supplier Risk Engagement Governance Analyst user group.
The change request must be in progress.

 Tip
To remove a draft change request, you must be the user who created the change request, or the on behalf of
user. See How to Revert a Draft Change Request [page 248].
The change request must not be in In Edit status. A change request cannot be canceled while editing is in progress.
Context
You can cancel a change request at any point after it is submitted and before final approval.
Procedure
Completed tile, locate the engagement that has a change request in progress, and click its name.
2. Depending on your project group memberships and user permissions, a confirmation message may offer a
choice between navigating to the Change Request or to the engagement summary page for the current Live
Version of the engagement. In this case, choose Change Request.
3. In the upper right corner of the engagement page, choose Action Cancel change request . A
confirmation message reminds you that cancelation will undo all changes. You must select a Reason for
canceling the change request. Optionally, you can also enter a comment.
4. Click OK to confirm that you want to cancel the change request.
Results
The control-based engagement risk assessment project is now once again in Completed status. You can view it on
the Completed tile of the Engagement Requests area.
Pending Tasks are deactivated and displayed in the Withdrawn tasks tab on the engagement summary page.
Any assessment evidences already received, or which have been submitted and are pending approval, and any
related control review decisions, are retained.
For assessments pending with a supplier:
• If the engagement project with the just-canceled change request was the only project for which the assessment
was needed, it is deactivated and the supplier can no longer submit a response.
• If the assessment is still required for an engagement request other than the one with the canceled change
request, the supplier can still submit evidence for that assessment.
Appropriate notifications are sent to stakeholders, reflecting the withdrawn tasks and canceled change request.
Issues created during the change request lifecycle are associated with the engagement or the control for which
they are created. Issues are not deleted or removed when a change request is canceled.

Related Information

How to Revert a Draft Change Request

When the creator or on behalf of user realizes that a draft change request for a control-based engagement risk
assessment project is not needed, they can revert it, returning the engagement to its most recent live version.
Prerequisites
To revert a draft change request:
• You must be the user who created the change request, or the on behalf of user.
• The engagement must be in Change Request: Draft status.
Context
You can revert a draft change request at any point before it is submitted. This deletes the change request. There is
no record of it in the version history.
In contrast, you can cancel a change request that is in process. This returns the engagement to its most recent
live version but retains history information about the canceled change request. For more information, see How to
Cancel a Submitted Change Request [page 246].
Procedure
2. A confirmation dialog offers a choice between navigating to the Change Request or to the engagement
summary page for the current Live Version of the engagement. In this case, choose Change Request.
3. The upper right corner of each change request page includes a Revert change button. Click Revert change and
a confirmation message reminds you that reverting will undo all changes, returning the engagement request to
its most recent completed state.
4. Click OK to confirm that you want to revert the change request.

Results
The control-based engagement risk assessment project returns to Completed status. You can view it on the
Completed tile of the Engagement Requests dashboard.
There is no record of the reverted draft change request in the version history list for the engagement.
No notifications are sent because the change request was never submitted.
How to Cancel the Post-Project Approval Phase of a

If an engagement does not require post-project approval activities, you can cancel the post-project approval phase.
Canceling the post-project approval phase withdraws its tasks and moves the project back to Completed status.
Prerequisites
To cancel the post-approval phase of an engagement risk assessment project, you must be a member of its Project
Owner group or the Supplier Risk Engagement Governance Analyst global user group.
To cancel the post-project approval phase, the phase must be in progress. You cannot cancel the phase before it
starts or after it is completed.
Context
You can cancel the post-approval phase at any time while the phase is in progress, including while tasks are active.
Procedure
1. On the Supplier Risk dashboard, click Engagement Requests.

2. Click the Completed tile, locate the engagement.
3. Locate the engagement and click its name to open it.
4. Choose Actions Cancel phase .

5. Click OK.

Results
Canceling the post-project approval phase removes the phase and all of its tasks from the engagement risk
assessment project workflow, completes the phase, and withdraws its tasks. The Withdrawn Tasks tab in the Tasks
area of the engagement page shows the withdrawn tasks. If the phase included active tasks when you canceled it,
task owners can no longer complete them. They receive email notifications letting them know that their tasks have
been withdrawn.
Topics About Processing a Periodic or Ad Hoc Review

for an Engagement
How to Process a Periodic or Ad Hoc Review for an Engagement [page 250]
About Opening an Engagement for Which a Review Is in Progress [page 254]
How to Skip a Periodic Review for an Engagement [page 255]
How to Revert a Draft Review for an Engagement [page 256]
How to Cancel a Periodic or Ad Hoc Review for an Engagement [page 257]
How to Edit an Engagement with a Review in Progress [page 259]
How to Process a Periodic or Ad Hoc Review for an

Engagement
The workflow for a periodic or ad hoc review is similar to that of a change request. The review is a formal process
requiring specific confirmation of the changes, or lack of changes, to the engagement.
Prerequisites
You have configured periodic and ad hoc review as described in Adding Periodic and Ad Hoc Review to the
Engagement Workflow.
You can start a review if:
• You are a member of the Project Owner project group for the engagement, or of the Supplier Risk
Engagement Governance Analyst user group
 Note
Only members of the Project Owner project group see an action for periodic review in their Action Queue,
if that feature is enabled.

• You belong to the Supplier Risk Engagement Requester user group
• The engagement you want to review is in Completed status: it is not, for example, currently undergoing change
request
Context
An engagement is eligible for periodic reviews on a configurable schedule. As each engagement request is
completed, first periodic review expected start and expected completion dates are generated for it. When one
periodic review is processed and completed, the next set of periodic review dates is calculated, and so on.
The type of review you can start depends on whether the engagement is available for periodic review.
• The engagement is available for periodic review if today's date is on or after its expected start date for periodic
review. In that case, choosing Action Start review starts a periodic review
• If the engagement is not available for periodic review, choosing Action Start review starts an ad hoc
review.
Review workflow mirrors the change request process for engagements, with some important differences.
Change Request, Periodic Review, and

Ad Hoc Review Periodic Review Ad Hoc Review
Make changes to business details and in- Configuration determines length of re- An ad hoc review is a review started when
herent risk screening questionnaire view period and rules for generating re- the engagement is not available for peri-
view dates odic review
Save as draft, revert a draft
Engagement becomes available for peri- Does not appear in Action Queue be-
When submitted, significance of changes
odic review on the expected start date cause it is not triggered on a schedule
determines required approvals
Can be used in conjunction with the Reminder notifications do not apply
Uses change request initial and final ap-
Action Queue feature; when the engage-
proval phases as required
ment is available for periodic review, an
Edit at any time before final approval, if Action to conduct a periodic review ap-
the Enable editing of in-progress pears on the Action Queue
change requests
Configurable notifications remind project
(Application.SR.Engagement.A
team members to conduct the periodic
llowChangeRequestEdit) parame-
review
ter is set to Yes
Can require the Additional Periodic
Changes made during edit are evaluated
Review Activities phase in response to
for signficance to determine required ap-
a configured number of consecutive no-
provals
change periodic reviews
Upon submitting an ad hoc or periodic review, a confirmation dialog requires the re-
viewer to confirm their changes (or lack thereof) to the business details and inherent
risk screening questionaire

Procedure

2. In the upper right corner of the engagement page, choose Action Start review .
• If the engagement is available for periodic review, a confirmation message indicates that the review is
starting.
• If the engagement is not available for periodic review, a different message notes the date when this
engagement will next become available for periodic review, and asks whether you would like to start an ad
hoc review. Click Yes to start an ad hoc review, or No to return to the engagement page.
3. The editing pages for processing the review allow you to request changes to business details or inherent risk
screening questionnaire responses for the engagement. Use the Next and Back buttons to navigate to different
steps of the review and edit information as needed.
• The supplier selection page is displayed, but you cannot change the supplier for a live engagement.
• For a new review (not yet submitted), the two columns compare the values for the original, previously
completed engagement to those entered for this review.
When editing an in-progress review, the two columns compare the live version of the engagement to
the edited version of the review.
4. If you need to exit a review before submitting it, you can:
• Choose Save at any point to save your changes without submitting. The engagement is shown in the
engagement Completed tile, with status Review: Draft. The creator of the review can re-open it, with a
choice to continue editing the review or to open the engagement page for the live version.
• Choose Revert Review to delete the review and undo all changes associated with it. If you click OK to the
confirmation message, the engagement reverts to the current live version, its state before the review was
started.
5. Navigate to the final review step and click Submit review. The Submit review dialog provides three choices of
action:
a. If you are comfortable with the review in its current state, select the checkboxes confirming that you have
reviewed the business details and inherent risk screening questionnaire, and click Submit.
b. To return to the draft review, click Cancel to return to the editing pages. This preserves the changes you
had already made and allows you to adjust them.
c. To start over, click Start from the beginning to undo all changes for the review. This returns you to the
editing pages as if you had just clicked Start review.

Results
When you submit the review:
• If there are significant changes, the change request initial approval and change request final approval phases
are activated.
• If there are no significant changes, but some changes are insignificant requiring approval, only the change
request initial approval phase is activated. Which tasks open within that phase is determined by the value for
the parameter Reopen all initial approval phase tasks for insignificant changes requiring approval
RequiringApproval).
• If the only changes are insignificant:
• If the review was previously denied, the change request initial approval task is reactivated.
• If this is not a resubmit of a denied review, the review is automatically approved. This triggers creation of a
new version of the live engagement project, incorporating the changes.
• If there are no changes to the business details or inherent risk screening questionnaire in this review:
• If this is a periodic review, a no-change review may trigger the Additional Periodic Review Activities
phase, defining additional tasks required in order to complete the periodic review.
• In all other cases, a no-change review is automatically approved. Despite the lack of changes, this does
trigger a new version of the live engagement recognizing that the review was submitted.
Depending on the changes and your organization's control-based engagement risk assessment process,
appropriate downstream tasks are activated. A process similar to a change request manages the workflow of
relevant due diligence tasks, and corresponding notifications are sent.
For a periodic review only, the post project approval phase reopens, if your site
has the parameter Reopen post project approval phase with engagement review
(Application.SR.Engagement.ReopenPostProjectApprovalPhaseWithEngagementReview) set to Yes.
Issues created during the review lifecycle are associated with the engagement or the control for which they are
created.
 Note
While a review is in progress, analytical reports will continue to show data from the current live version of the
engagement. When the review completes, new data is then available for reporting. For more information, see
Analytical Reporting for Control-Based Engagement Risk Assessment Projects [page 275].
Related Information

How to Revert a Draft Review for an Engagement [page 256]
Reopen post project approval phase with engagement review [page 395]

About Opening an Engagement for Which a Review Is in

Progress
If an engagement is in review, your choice to open it may trigger navigation options depending on your role and
permissions in the engagement.
An engagement with a review in process is listed in the Completed area of the engagements dashboard and has a
status of Review: [status]. In the case of a periodic (not ad hoc) review, an action is listed on the Action Queue for
members of the Project Owner project group for the engagement.
When, as a user with some authorization to view or work with the engagement, you click on the engagement name
or action link, the result depends on the state of the review (in draft or already submitted) and your global and
engagement-specific permissions.
If the review is in Draft status, the engagement's status shows as Review: Draft.
• The creator of the review can re-open it. This user sees a dialog where they can choose to continue editing the
draft review, or open the summary page for the live engagement in view-only mode.
• Other users land on a view-only engagement page for the live version of the engagement. An indicator at the
top of the page notes that a review is in process.
If the review has already been submitted, its status shows as Review: [phase name] - In Progress . In this case, all
users see a choice dialog. You can navigate to the ongoing Review or the current Live Version of the engagement.
• Choosing Review brings up the engagement page with the indicator Review - In Progress displayed at the top.
Actions you can take on this page depend on your permissions and role in the engagement.
• Choosing Live Version displays the current live version of the engagement. Because there is a review in
progress, this page is view-only for all users.
If a submitted review is currently being edited, the engagement's status shows as Review: In Edit.
• The original editor of the review can re-open it. This user sees a dialog where they can choose to continue
editing the review, or open the engagement page for the currently active (pre-edit) review. Possible actions
depend on the user's permissions and role in the engagement.
 Tip
The editor can also access the live version of the engagement:
1. Choose the option to view the current active review.
2. From the engagement page, click the Engagement history link. The engagement history includes a link
to the live version of the engagement.
• Other users see a choice between navigating to the Review or the Live Version.
• Choosing Review brings up the engagement page for the pre-edit version of the review, with the indicator
Review - In Progress displayed at the top. While the review is In Edit, due diligence activities associated
with the review can continue. Actions you can take on this page depend on your permissions and role in the
engagement.
• Choosing Live Version displays the current live version of the engagement. Because there is a review in
progress, this page is view-only for all users.

Related Information

How to Skip a Periodic Review for an Engagement
A governance analyst can skip a periodic review.
Prerequisites
To skip a periodic review::
• You must be a member of the Supplier Risk Engagement Governance Analyst user group
• The review must not already have been started
Context
The periodic review to be skipped is the one identified by the Scheduled periodic review field in the summary area
of the engagement page.
The review must not already be in progress. In that case, you would first need to cancel [page 257] the in-progress
review, then skip it.
Procedure

name.
• If the engagement is available for periodic review, and the Action Queue feature is enabled: click the
Actions tile on the Supplier Risk dashboard, locate the action for periodic review of this engagement, and
click that link.
2. In the upper right corner of the engagement page, choose Action Skip Review . A confirmation message
identifies the date of the review being skipped and requires you to enter a reason for skipping it.
3. Click Skip to confirm that you want to skip the review.

Results
Dates are generated for the next periodic review.
• If configured to generate the next periodic review date for engagements based on the Last periodic review
actual completion date: in this case there is no actual completion date. In its place the date calculation uses
the date the periodic review was skipped.
Appropriate notifications are sent to stakeholders.
The skipped periodic review is noted in the engagement history.
Related Information

How and When Periodic Review Dates are Calculated
How to Revert a Draft Review for an Engagement
When the creator of a draft review for a control-based engagement risk assessment project realizes it is not
needed, they can revert it. The engagement returns to its most recent live version.
Prerequisites
To revert a draft review:
• You must be the user who created the review.

• The engagement must be in Review: Draft status.
Context
You can revert a draft review at any point before it is submitted. This deletes the review. There is no record of it in
the version history.
In contrast, you can cancel [page 257] a review that is in progress. This reverts the changes but retains history
information.

Procedure

• In the case of a periodic (not ad hoc) review: on the Action Queue, click the periodic review link for this
engagement.
2. A confirmation dialog offers a choice between navigating to the Review or to the engagement summary page
for the current Live Version of the engagement. In this case, choose Review.
3. Click Revert review on any page of the editing wizard. A confirmation message reminds you that reverting will
undo all changes, returning the engagement request to its most recent completed state.
4. Click OK to confirm that you want to revert the review.
Results
The control-based engagement risk assessment project returns to Completed status. You can view it on the
Completed tile of the Engagement Requests dashboard.
There is no record of the reverted draft review in the version history list for the engagement.
No notifications are sent because the review was never submitted.
If you revert a periodic rather than an ad hoc review, the engagement is once again available for periodic review. The
engagement page still shows the same Scheduled periodic review dates as before.
Related Information

How to Cancel a Periodic or Ad Hoc Review for an

Engagement
A change request owner or governance expert can cancel an in-progress periodic or ad hoc review.
Prerequisites
To cancel a periodic or ad hoc review::

• You must be a member of the Change Request Owners or Project Owner project group, or belong to the
Supplier Risk Engagement Governance Analyst group.
• The review must not be in Review: In edit status with a different user.
Context
You can cancel a review at any point before final approval.
Procedure

name.
2. In the upper right corner of the engagement page, choose Action Cancel review .
3. A confirmation message requires that you enter a reason for canceling. Click Yes to confirm that you want to
cancel the review.
4. A second confirmation message reminds you that the engagement will return to its current live version. Click
Yes again to complete the cancelation.
Results
The engagement returns to Completed status. You can view it on the Completed tile of the Engagement Requests
area.
Pending Tasks are deactivated and displayed in the Withdrawn tasks tab on the engagement summary page. For a
periodic review, this includes any pending tasks for the Additional Periodic Review Activities phase.
Any assessment evidences already received from suppliers, and any related control review decisions, are
retained.
For assessments pending with a supplier:
• If the canceled review of this engagement request was the only reason for sending the assessment to this
supplier, it is deactivated and the supplier can no longer submit a response.
• If the assessment is still required for an engagement request other than the one whose review has been
canceled, the supplier can still submit evidence for that assessment.
Appropriate notifications are sent to stakeholders, reflecting the withdrawn tasks and canceled review.
The canceled review is noted in the engagement history.

 Note
When you cancel a periodic review, the engagement is once again ready for and still requires a periodic review,
unless a governance analyst user skips [page 255] it.
The cancelation does not change the engagement's Scheduled periodic review dates.
Related Information

How to Skip a Periodic Review for an Engagement [page 255]
How to Edit an Engagement with a Review in Progress
A member of the Change Request Owners project group for an engagement can edit an ongoing (submitted)
periodic or ad hoc review to add or change details.
Prerequisites
The self-service parameter Enable editing of in-progress change requests

(Application.SR.Engagement.AllowChangeRequestEdit) must be set to Yes.
To start an edit of a review:
• You must be a member of the Change Request Owners project group and of the Supplier Risk Engagement
Requestor user group.
• There must be a review in progress for the engagement.
• The review must not be in Draft status; in this case the engagement status would be Review: Draft. A draft
review can be changed, but only by its original creator.
• When a review is in progress, the status of the engagement is like Review: [phase name] - In Progress.
• The engagement must not be in Review: In Edit status with a different user. If a review was saved during the
edit process, editing of that review can only be continued by the original editor.

Context
You can edit an engagement review at any point before completion, including reviews that were denied.
The engagement changes to status Review: In Edit until the edit is submitted. While an engagement is in Review: In
Edit status:

• Evidence collection and control review tasks for the review can proceed.
Procedure

2. The Ongoing review dialog offers a choice between navigating to the Review or to the summary page for the
current Live Version of the engagement. Choose Review.
3. In the upper right corner of the engagement page, choose Action Edit review . A confirmation message
lists general rules of the editing process, and requires entry of Reason text to continue.
 Note
If an edit of this review is already in progress, the Edit review option is disabled.
4. Use the Next and Back buttons to navigate to different steps of the review and edit information as needed.
When editing a previously submitted review:
removed. When you click Next, changes are saved and the number of controls added and removed is noted
on the supplier selection page.
• You cannot change the supplier as part of a change request or an edit to a change request. Click Review
request to move on to the Review Request page.
• Each section of the Review Request page highlights additions and changes. The two columns compare the
values for the original, previously completed engagement to the edited version of the review.
5. If you need to exit an In Edit review without submitting it, you can:
• Choose Save at any point to save your changes without submitting. The review is included in the list of
Completed engagements, with status Review: In Edit.
• The original editor of the review can return to Step 1 and re-open the engagement, choosing the option
to continue the Edit.
• Other authorized users can view an engagement whose status is Review: In Edit, and complete tasks
other than Send Assessments in the review due diligence workflow, but they cannot take over the
editing.

• Choose Revert edit to undo all edits made while this review has been in Review: In Edit status. If you click
OK to the confirmation message, the review reverts to its pre-edit state.
6. Navigate to the final review step.
 Remember
When editing a review, the Review Request page compares the edited review to the current live version
of the engagement. This comparison determines whether the confirmation step indicates changes to the
business details and inherent risk screening questionnaire.
7. Click Submit review. The Submit review dialog provides three choices of action:
a. If you are comfortable with the review in its current state, select the checkboxes confirming that you have
reviewed the business details and inherent risk screening questionnaire, and click Submit. The attestation
here is to the net change between the current live version of the engagement and the edited version of the
review.
 Example
In the original review, you changed the answer to just one business details question. After submitting,
you edit the review to change it back to the original response. The net would be no change to the
business details.
 Caution
After submitting a edited review, there is no option to roll back to an earlier version of the review.
b. To return to the draft review, click Cancel to return to the editing pages. This preserves the changes you
had already made and allows you to adjust them.
c. To start over, click Start from the beginning to undo all changes for the review. This returns you to the
editing pages as if you had just clicked Edit review.
Results
Submitting the edited review may trigger adjustments to the approval phases, tasks, assessments, and controls.
This depends on a comparison of the changes between the live version of the engagement, the pre-edit review,
and the edited review.
The final version of the review, the version that is ultimately completed, is tracked in the engagement history [page
130]. Individual instances of editing a review are not tracked in the history.
Related Information


How to Archive a Control-Based Engagement Risk

Assessment Project (Simple Workflow)
Once an engagement risk assessment project is completed, you can archive it so that no further activity is possible
in it. If your site uses the simple archiving workflow, you archive an engagement risk assessment project in a single
operation.
Prerequisites
The engagement archiving feature must be enabled in your site.
To archive a control-based engagement risk assessment project, you must be a member of its Project Owner
project group or the Supplier Risk Engagement Governance Analyst global user group.
The project must be in Completed status.
Context
Archiving an engagement risk assessment project closes it permanently to all further activity, including change
requests. There is no way to un-archive an archived project, so only archive a project when you are sure that it no
longer requires any further action.
In the simple archiving workflow, archiving an engagement risk assessment project is a single operation. If your site
uses the advanced archiving workflow, see How to Archive a Control-Based Engagement Risk Assessment Project
(Advanced Workflow) [page 263].
Procedure
1. Click the Engagement requests link on the Supplier Risk dashboard, click the Completed tile, locate the
engagement, and click its name.
2. Choose Action Archive engagement project .

3. Enter a comment explaining your reason for archiving the engagement and click OK.
4. Click OK to confirm archiving the engagement.
5. Click OK to return to the engagement page.

Results
The engagement risk assessment project is now in Archived status. It continues to show on the Completed tile.
You can no longer create change requests for it or add it to new contracts in sites that include SAP Ariba Contracts.
If the project was previously added to contracts in sites that include SAP Ariba Contracts, it continues to show in
those contracts with the updated Archived status.
Related Information
How to Archive a Control-Based Engagement Risk

Assessment Project (Advanced Workflow)
Once an engagement risk assessment project is completed, you can archive it so that no further activity is possible
in it. If your site uses the advanced archiving workflow, archiving an engagement risk assessment project involves
several steps.
Prerequisites
To request or complete archiving of a risk assessment project, you must be a member of its Project Owner project
group or the Supplier Risk Engagement Governance Analyst global user group.
The engagement archiving feature and the advanced archiving workflow must be enabled in your site. If your site
does not use the advanced archiving workflow, see How to Archive a Control-Based Engagement Risk Assessment
Project (Simple Workflow) [page 262].
To request archiving, the project must be in Completed status. To complete archiving, the project must be in
Archive Pending status.
Context
Archiving an engagement risk assessment project closes it permanently to all further activity, including change
requests. Archived engagement risk assessment projects also cannot be added to contracts in SAP Ariba
Contracts. In the advanced archiving workflow, you can cancel archiving [page 265] while it is still in progress,
but there is no way to un-archive an archived project.

The advanced archiving workflow involves several steps. First, you request archiving for the engagement risk
assessment project. This archiving request starts the archiving workflow defined by your organization, which can
include supplemental questionnaires, To Do tasks, and approval tasks that various people in your organization
complete. After that workflow is completed, you can archive the project.
If this is the first archiving request for the project, requesting archiving shows the tasks in the archiving workflow
on the engagement page for the first time. If archiving was previously requested and then canceled for the project,
requesting archiving restarts the previously withdrawn tasks and moves them back to the Pending tasks tab.
Restarted approval tasks retain any previously added ad hoc approvers. Supplemental engagement questionnaires
associated with restarted To Do tasks show their previous answers, which task owners can update in this round.
Procedure
2. Choose Action Request archiving .

3. Enter a comment explaining your reason for archiving the engagement and click OK.
The project moves to In Progress status for the archiving phase and the archiving workflow starts. Once task
owners complete their tasks and the archiving workflow is completed, the project moves to Archive Pending
status.
4. Choose Action Archive engagement project .

5. Click OK to confirm archiving the engagement.
Results
The engagement risk assessment project is now in Archived status. It continues to show on the Completed tile.
You can no longer create change requests for it or add it to new contracts in sites that include SAP Ariba Contracts.
If the project was previously added to contracts in sites that include SAP Ariba Contracts, it continues to show in
those contracts with the updated Archived status.
Related Information
How to Archive a Control-Based Engagement Risk Assessment Project (Simple Workflow) [page 262]
How to Cancel Archiving of a Control-Based Engagement Risk Assessment Project [page 265]

How to Cancel Archiving of a Control-Based
If your site uses the advanced archiving workflow and an engagement risk assessment project that is in the process
of being archived requires further activities, you can cancel the archiving. Canceling archiving returns the project to
Completed status so that it is once again open further activity.
Prerequisites
To cancel archiving for a risk assessment project, you must be a member of its Project Owner project group or the
Supplier Risk Engagement Governance Analyst global user group.
The engagement archiving feature and the advanced archiving workflow must be enabled in your site.
To cancel archiving, the project must be in In Progress status for the archiving phase or in Archive Pending status.
Context
Archiving an engagement risk assessment project permanently closes it to further activity, including change
requests. There is no way to unarchive an archived project. If the archiving is still in progress or pending, however,
you can cancel it.
Procedure
2. Choose Action Cancel archiving .
3. Choose Action Archive engagement .

4. Click OK to confirm canceling the archiving.
Results
The engagement risk assessment project returns to Completed status and is now open to further activity through
change requests in sites that use them. In sites that include SAP Ariba Contracts, the project can continue to be
added to new contracts.

Tasks in the archiving phase are automatically withdrawn. Withdrawn approval tasks retain any ad hoc approvers
added during the canceled workflow, and supplemental questionnaires completed during the phase retain their
answers.
Next Steps
If the project is ready to archive at any point in the future, you can request archiving again..
Related Information
Copying a Control-Based Engagement Risk

Assessment Project to Create a New Engagement
Request
Follow these steps to copy an engagement risk assessment project when you want to request a new engagement
with an active supplier or third party for goods or services, and an existing project already includes many of the
same business details and inherent risk screening information.
Prerequisites
• To copy an engagement risk assessment project to a new engagement request, you must be a member of the
Supplier Risk Engagement Requestor group.
• Only active suppliers are eligible for supplier engagement.
Context
The engagement request is the first step in a control-based risk assessment project to analyze and document
the risks involved with the engagement. Both the business details and inherent risk screening questionnaires in
an engagement request can contain a large amount of detailed information about an engagement. To request a
new engagement with similar characteristics, you can copy an existing project instead of creating a new request
and filling out the business details and inherent risk questionnaires again from scratch. If an engagement risk

assessment project is archived, you can no longer edit it or request changes, but you can copy it to start a new
engagement risk assessment project with the same characteristics.
When copying an existing engagement risk assessment project to a new request, the first two steps of the request,
the business details questionnaire and the inherent risk questionnaire, are copied from the existing project. You can
then edit those questionnaires as needed. The copied engagement request does not retain the supplier from the
original engagement risk assessment project, if any, and you must complete the supplier selection and review steps
of the copied request and submit it just as you would any other new engagement request.
Currently, the copied request is based on the version of the template used by the engagement project from which it
is copied, rather than from the most recent version of the template.
You cannot copy an engagement request that was created from a non-catalog purchase. When you open such an
engagement:
• A message at the top of the engagement page indicates it is linked to a purchase requisition.
• The option for Action Copy request is not available.
Procedure
1. Choose Action copy request on the engagement page.

2. Click OK to start copying the engagement risk assessment project.
3. Click Continue to open the new, copied engagement request.
The new, copied engagement request has the name Copy of <original engagement risk assessment project
name> and includes the date and time when you copied it.
4. Finish creating the new engagement request, editing the copied answers in the business details and inherent
risk screening questionnaires as needed.
Control-Based Engagement Risk Assessment Status

Flow
Control-based supplier engagement risk assessment projects move from Draft status to either Completed,
Request Canceled, or Request Denied status during the course of an engagement assessment.
Display status on the Engagements tile

Action Project status and engagement page
A requester has started to create a new Draft Draft

engagement request but has not yet
completed the first step (the business
details questionnaire).

A requester has answered questions in Draft > Filter Questions Saved Draft
the first step of creating a new engage-
ment request (the business details ques-
tionnaire) and has saved the request
without proceeding to the second step.
A requester has answered questions in Filter Questions Saved > Filter Draft
Questions Submitted
the first step of creating a new engage-
ment request (the business details ques-
tionnaire) and has proceeded to the sec-
ond step.
A requester has answered questions Filter Questions Submitted > Screening Draft
in the second step of creating a new Questions Saved
engagement request (the inherent risk
screening questionnaire) but and has
saved the request without proceeding to
the third step.
A requester has answered questions Screening Questions Saved > Draft

in the second step of creating a new Screening Questions Submitted
engagement request (the inherent risk
screening questionnaire) and has pro-
ceeded to the third step.
A requester has chosen a supplier for a Screening Questions Submitted > Draft
new engagement request and proceeded Supplier Selected
to the review step, then exited the re-
quest without submitting it.
A requester has completed a new en- Supplier Selected > Submitted Draft > Submitted
gagement request and submitted it, but
the template does not define an approval
flow for it
A member of the Supplier Risk Submitted Submitted > [request approval]: In

Engagement Governance Analyst group Progress
has manually specified one or more ap-
[request approval] here is the name of
provers for a submitted engagement re-
the Request Approval phase in your
quest that does not have a template-de-
site's supplier risk engagement template.
fined approval flow.
A user has completed a new engagement Supplier Selected > Submitted Draft > [request approval]: In Progress
request and submitted it, and it has a
template-defined approval flow.

A member of the project owner In Edit In Edit

project group, or of the Supplier
Risk Engagement Governance Analyst
group, has opened the engagement re-
quest for edit, but has not yet re-submit-
ted it.
An approver has denied the engagement Submitted > Request Denied [request approval]: In Progress >
Request Denied
request.
Approvers have finally approved the en- Submitted > Pending Assessment [request approval]: In Progress > [trig-
gagement request. ger evidence and control process]: In
 Note Progress
If you're using the basic appro- [request approval] here is the name of
val workflow, after completing the the Request Approval phase in your
Request Approval phase, the en- site's supplier risk engagement template.
gagement request moves immedi-
[trigger evidence and control process]
ately to Completed status.
here is the name of the Trigger Evidence
and Control Process phase in your site's
supplier risk engagement template.
The responsible user has completed the Pending Assessment > In Assessment [trigger evidence and control process
To Do task for sending any assessments trigger]: In Progress > [evidence collec-
for required open controls. tion]: In Progress
[trigger evidence and control process]

here is the name of the Trigger Evidence
and Control Process phase in your site's
supplier risk engagement template.
[evidence collection] here is the name of

the Evidence Collection phase in your

All respondents have submitted assess- In Assessment > Pending Risk Control [evidence collection]: In Progress > [con-
ments for the open controls and the as- Decision trol effectiveness review]: In Progress
sessments have been approved.
[evidence collection] here is the name of
the Evidence Collection phase in your
[control effectiveness review] here is the

name of the Risk Control Effectiveness
Review phase in your site's supplier risk
engagement template.
Control owners have reviewed all open Pending Risk Control Decision > [control effectiveness review]: In
controls for the engagement and either Pending Final Approval Progress > [engagement approval]: In
marked their effectiveness or, if the site Progress
is configured to allow this, skipped the
[control effectiveness review] here is the
control review.
name of the Risk Control Effectiveness
Review phase in your site's supplier risk
engagement template.
[engagement approval] here is the name

of the Project Approval phase in your
An approver has denied the engagement. Pending Final Approval > Request [engagement approval]: In Progress >
Denied Request Denied
Task owners and approvers have com- Pending Final Approval > Completed [engagement approval]: In Progress >
pleted any tasks related to final ap- Completed
proval of the engagement and have fi-
nally approved it, and your organization's
engagement risk assessment process
does not include a post-project approval
phase.
Task owners and approvers have com- Pending Final Approval > Completed [engagement approval]: In Progress >
pleted any tasks related to final appro- [post-project approval]: In Progress
val of the engagement and have finally
approved it, and your organization's en-
gagement risk assessment process in- of the Project Approval phase in your
cludes a post-project approval phase site's supplier risk engagement template.
[post-project approval] here is the name

of the Post Project Approval phase in
your site's supplier risk engagement tem-
plate.

A member of the engagement risk as- Completed [post-project approval]: In Progress >
sessment Project Owner group or the [engagement approval] Completed
Supplier Risk Engagement Governance
Analyst global user group has canceled
the post-project approval phase. of the Post Project Approval phase in
plate.

Task owners and approvers have com- Completed [post-project approval]: In Progress >
pleted all tasks in the post-project appro- [engagement approval] Completed
val phase.
of the Post Project Approval phase in
plate.

(Simple archiving workflow) A member Completed > Archived Completed > Archived
of the engagement risk assessment
Project Owner project group or the
Analyst global user group has archived
the project.
(Advanced archiving workflow) A mem- Completed Completed > [project archiving phase] -
ber of the engagement risk assessment
In Progress
Supplier Risk Engagement Governance [project archiving phase] here is the
Analyst global user group has requested name of the Project Archiving phase in
archiving for the project.
plate.
(Advanced archiving workflow) Task own- Completed [project archiving phase] - In Progress >
ers and approvers have completed all
Archive Pending
tasks in the project archiving phase.
[project archiving phase] here is the
name of the Project Archiving phase in
plate.
(Advanced archiving workflow) A mem- Completed > Archived Archive Pending > Archived
ber of the engagement risk assessment
Analyst global user group has completed
the archiving of the project.

A user with the appropriate permissions can cancel a submitted engagement request before the responsible user
sends assessment questionnaires for the required controls (project status In Assessment). At that point, the
project status changes from its current status to Request Cancelled, which is also the status that shows on the
Engagement Requests tile and engagement page.
How to Run the Risk Control Summary Report

The Risk Control Summary report provides an overview of the risk controls required in your organization's control-
based engagement risk assessment projects.
Prerequisites
To run the Risk Control Summary report, you must be a member of the Supplier Risk Manager, Supplier Risk
Engagement Governance Analyst, or Supplier Risk Engagement Expert group.
Context
The Risk Control Summary report is a Microsoft Excel file with the following fields:
• Engagement ID
• Engagement request
• Supplier ID
• Supplier
• Project owner
• Requested by
• Requested on
• Engagement status
• Risk type
• Control ID
• Control name
• Control type
• Service id
• Service display name
• Control owner
• Decision maker
• Control status
• Control expiry
• Control Status imported, which is a flag indicating whether the control status was set manually by a review
(False) or using a control status data import (True)

• Control assessment id
• Control assessment name
• Control Assessment status
• Assessment expiration
• Visibility
• Assessment status imported, which is a flag indicating whether the assessment status derived from a
modular supplier management questionnaire (False) or was set using an assessment status data import
(True)
• Control skip reason
For service controls, the report includes a separate row for each service in the control review.
This report does not include information related to archived engagements.
Procedure
1. On the Supplier Risk dashboard, click the settings icon ( ).

2. In the left-hand navigation bar, click Reports.
3. On the Report name dropdown menu, choose Risk Control Summary.
4. (Optional) For Time Period, click in the date field and perform one of the following actions:
• Choose one of the preset filters (Last 7 Days. Last 30 Days), Last 3 Months, or Last 6 Months).
• Choose Custom range and use the calendars to choose from and to dates for the custom date range.
5. Click Apply.
6. Click Generate report.
7. Once your report has generated, click View reports to download the report.
Related Information
Exporting Data and Running Reports on Supplier Risk and Related Activities [page 307]
Analytical Reporting for Control-Based Engagement Risk Assessment Projects [page 275]

How to Run the Engagement processing error report
The settings area includes a report of errors in engagement processing, showing actions already taken and
suggested next steps.
Prerequisites
To run the Engagement processing error report, you must be a member of the Supplier Risk Manager or
Supplier Risk Engagement Governance Analyst user groups.
The data for this report relies on two parameters.
• Manage user interactions during send assessments processing [page 388]: with this parameter enabled, the
report contains information about errors that occur during processing of the Send Assessments task.
• Manage user interactions during update processing [page 389]: with this parameter enabled, the report
contains information about errors that occur during processing of a new, edited, or canceled engagement
request, change request, or review.
These parameters are enabled by default. If a Customer Administrator has disabled one or both, the engagement
data corresponding to that parameter is not saved and therefore cannot be displayed in this report.
Context
The Engagement processing error report includes the following fields. By default it is in (descending) error ID
sequence, so that the most recent error is at the top.
• ID: identifies the individual error.

• Timestamp: when the error occurred.
• Error type: the activity that failed for the engagement.
• Activity ID: identifies the individual activity that failed.
• Activity: type of action that failed.
• Engagement ID
• Engagement title
• User: the user that attempted the failed action.
• Retry required: True if the action needs to be retried, False if not. This value becomes False once the action
has been retried.
• Next step: suggested action to resolve the problem. Possible values include:
• Retry the action: The report includes one row with this message for the original error and one for the first
retry if it does not succeed.
• Contact SAP Ariba Support about error <ID>: This message indicates the action has been retried three
times without success.
• This column is blank for rows representing actions that have been retried successfully.

Procedure
1. On the Supplier Risk dashboard, click the settings icon ( ).

2. In the left-hand navigation bar, click Engagement processing error report.
3. (Optional) Click Export at the upper right corner of the report to export this data into a .csv file.
Related Information

Analytical Reporting for Control-Based Engagement

You can use SAP Ariba analytical reports to analyze questionnaire content, project, project task, and approval
or review activity in control-based engagement risk assessment projects and their associated issue management
projects.
You can create reports based on the following reporting facts to see data on engagement risk assessment and issue
management projects, tasks, and questionnaires:
Use This Fact... To See This Data...
SR Project Control-based engagement risk assessment projects and issue

management projects.
You can analyze project activity by project owner (the person

who created the project), project start and end dates, engage-
ment commodities, regions, and departments, engagement re-
quest status, which issue projects are associated with specific
engagement risk assessment projects (primary source ID) or
risk controls (secondary source ID), and so on.

SR Project Questionnaire Response All survey documents in risk assessment and issue manage-
ment projects, including:
• Engagement request business details questionnaire (in

control-based engagement risk assessment projects)
• Engagement request inherent risk screening question-
naire (in control-based engagement risk assessment
projects)
• Issue details form (in issue management projects)
You can create reports based on the SR Project Questionnaire

Response fact to:
• Compare answers between versions of a supplier's re-

sponse to a questionnaire.
• Show only the most recent responses to questionnaires.
• Report on questionnaire responses in engagements and
analyze those responses using various metrics.
• Show specific types of questionnaire responses across
engagements. For example, you can see answers to com-
modity, region, and department questions for each sup-
plier across all of their questionnaires.
• Analyze internal questionnaire responses by respondent.
SR Project Task The tasks in control-based engagement risk assessment

projects and issue management projects.
In reports based on this fact, you can analyze task activity

by type, task status, task start and end dates, on time or
late tasks, task owner, engagement request status, which is-
sue tasks are associated with specific engagement risk assess-
ment projects (primary source ID) or risk controls (secondary
source ID), and so on.
SR Project Task Approval Flow The details for approval and review flows in approval and
review tasks in engagement risk assessment and issue man-
agement projects. It is particularly useful for identifying bottle-
necks in approval processes.
In reports based on this fact, you can analyze approval and re-
view activity by task names, start dates, end dates, the names
of associated projects, approvers by name or group, the dates
on which task nodes become active and approvers have acted,
any comments they provide during approval, engagement re-
quest status, and so on.

SR Project Survey Response All questionnaires in control-based engagement risk assess-

ment projects and in issue management projects, including the
engagement request business details and inherent risk screen-
ing questionnaires in engagement risk assessment projects
and issue details forms in issue management projects.
In reports based on this fact, you can analyze questionnaires

by respondent, questionnaire (survey), associated project, re-
sponse (response, multiple-value response, or response com-
modity, question, region, or department), question, engage-
ment request status, and so on.
 Note
Analytical reporting on the modular supplier management questionnaire projects used as assessment
questionnaires in control-based engagement risk assessment projects is not supported.
You must have the appropriate permission to run or create analytical reports. The following table provides a quick
reference for where to find information about SAP Ariba analytical reporting:
To Do This... See...
Run a report that you or another person at your organization Running Analytical Reports
has created
 Tip
To see the reports that other people in your organiza-
tion have created and made publicly available, choose
Manage Public Reports .
Create an analytical report Creating Analytical Reports
Understand the data that is available in different reporting Reporting Fact Reference
facts and how multi-fact reports on any combination of SR
Project, SR Project Task, and SR Project Task Approval Flow
data work
Learn which user groups grant reporting permissions Strategic Sourcing and Supplier Management Group Descrip-
tions
Keep in mind the following tips when running or creating analytical reports for control-based engagement risk
assessment and issue management projects, tasks, and questionnaires:
• You can create reports that include combinations of SR Project, SR Project Task, and SR Project Task
Approval Flow data. You cannot create reports that combine SR Project Questionnaire Response or SR
Project Survey Response data with data from other reporting facts.
• Every analytical report must include at least one measure (data field), which you add in the first step of the
reporting wizard.
• If you want a report that simply lists all of the data in rows, add fields to the Detail Fields area of the pivot
layout and check Show detail fields in report. On the report pivot table, you can also switch between detail and
aggregate views by clicking the data menu.

• The second step of the report wizard shows available hierarchy fields by default. To see all available fields,
including flat (non-hierarchical) fields, click Available Hierarchies and choose Available Fields. Some fields
that are important for reports on control-based engagement risk assessment projects, such as Engagement
Request Status, Issue Primary Source ID, Issue Secondary Source ID, and Response, only show on the
Available Fields list.
• Use the Issue Primary Source ID field to see the control-based engagement risk assessment projects
associated with issue project, task, approval flow, or questionnaire (survey response) data in issue
management projects created at the engagement level. Use the Issue Secondary Source ID field to see
the risk controls associated with issue project, task, approval flow, or questionnaire (survey response) data in
issue management projects created during control reviews. These fields only show data where applicable.
For example, if an issue management project was created at the engagement level, it shows an Issue
Primary Source ID but no Issue Secondary Source ID. Engagement risk assessment projects, tasks, and
questionnaires never include this data.
• If you are not sure which fields you want to add to a report, add them as page fields. Once you have run the
report, you can move page fields into the report from the Field Browser, as well as moving fields between rows,
columns, and the Field Browser.
• Every analytical report includes at least one date filter. Typically, the larger the date range you choose, the
larger the report.
Related Information

Exporting Data and Running Reports on Supplier Risk and Related Activities [page 307]

Modular Questionnaire and Supplier Certificate
Management
Modular questionnaires are projects that maintain discrete sets of related information, such as certificates,
risk assessments, or policy, compliance, audit, or other information about suppliers or engagement risk. They
can function independently or serve as components in a larger process such as a process qualification or an
engagement risk assessment.
Modular questionnaires are the recommended way to collect supplier certificates. They include some special
features for certificate management, including features for managing expiring and expired certificates.
About the Questionnaires Area in the Supplier 360° Profile [page 280]
Supplier Certificate Management [page 282]
Inviting Suppliers to Fill Out Stand-Alone Modular Questionnaires [page 284]
Scores for Modular Questionnaires [page 289]
Approving or Denying an External Modular Questionnaire [page 291]
Ratings for Internal Forms and Questionnaires [page 293]
Filling out an Internal Form in a Modular Questionnaire Project [page 293]
Approving or Denying an Internal Form in a Modular Questionnaire Project [page 296]
Viewing Modular Questionnaire Projects Based on Previous Template Versions After Template Upgrade [page
297]

Modular Questionnaire and Supplier Certificate Management PUBLIC 279
About the Questionnaires Area in the Supplier 360°
Profile
You view and manage modular questionnaires for a supplier in the Questionnaires area of the supplier 360° profile.
The Questionnaires area includes a Questionnaires tab and a Tasks tab.
You can do the following things on the Questionnaires tab:
• See all of the modular questionnaire projects associated with the supplier, their statuses, and their expiration
dates. If a questionnaire is scored and the recipient has submitted answers, the overall score shows on the
Questionnaires tab.
• View details about the modular questionnaire project, including workflow progress and any included internal
forms.
• Fill out and submit internal modular questionnaires included in process projects, if you're the questionnaire's
recipient.
• Fill out and submit [page 293] internal forms included in modular questionnaire projects, if you're the project
owner or the owner of an associated To Do task.
• Request an update or change the recipient [page 287] of a modular questionnaire.
You can do the following things on the Tasks tab:
• Complete any stand-alone To Do tasks for any questionnaires or internal forms in a modular questionnaire
project to which you've been assigned.
• Approve or deny [page 291] a questionnaire if you're in its approval flow.
• Approve or deny [page 296] an internal form if you're in its approval flow.
• View completed tasks by choosing the view icon ( ).
If a modular questionnaire project only includes a questionnaire, viewing it directly opens the questionnaire details
page with questions, answers, and version history. If the process project feature (SM-16798) is enabled in your site,
questionnaire details for the project or key questionnaire also include a summary of the process projects in which
the questionnaire is included.
If a modular questionnaire project also includes internal forms, viewing it opens the questionnaire project details
page.

280 PUBLIC Modular Questionnaire and Supplier Certificate Management
The questionnaire project details page includes:
• A Questionnaires table with the project's key questionnaire and internal forms. View a questionnaire or
form to open its questionnaire details page, which shows questions, answers, and version history. In these
questionnaire details pages, comment history shows all comments for all tasks associated with both the key
questionnaire and all internal forms in the current phase of the project.
The Questionnaires table doesn't show scores or score band indicators for questionnaires or forms with
scoring. However, scores and score band indicators do show on individual questionnaire details pages.
• A Tasks table with the project's tasks. Viewing a task from this table shows the standard task details page
with questions, answers, and version history for the questionnaire or form associated with the task. In the task
details page, comment history shows only comments for the current task.

 Tip
If a modular questionnaire project includes internal forms, the internal forms don't show on the Questionnaires
tab but the project's key questionnaire does. Tasks for internal forms show on the Tasks tab. To see an internal
form in a modular questionnaire project, view the key questionnaire for the project or a task associated with the
form.
Related Information
About the Registration Area in the Supplier 360° Profile

About the Qualifications Area in the Supplier 360° Profile
About the Contacts Area of the Supplier 360° Profile
About the Preferred Area in the Supplier 360 Profile
About the Processes Area in the Supplier 360° Profile
Supplier Certificate Management

Supplier management questionnaires can collect certificate information from suppliers. You can view a supplier's
certificates and their expiration status in the Certificates area of the supplier 360° profile.
Any internal or external supplier management questionnaire can include certificate questions. The Certificates
area of a supplier 360° profile shows all of the certificates associated with a supplier that were collected in
approved questionnaires or questionnaire updates. Each certificate has a summary with the certificate name,
expiration date, and a status of Valid, Expiring, or Expired.
To show in this area, certificates must be collected using either of the following methods:

• Internal or external questionnaires using Certificate questions mapped to the vendor.certificate field in
the supplier database, including request, registration, and qualification questionnaires.
• Modular questionnaires using Certificate questions or certificate sections with mapped certificate questions.
In either case, the questionnaire must be approved. The Certificates area doesn't show certificates that were
added in denied questionnaires or questionnaire updates.
You can view certificate details by performing the following actions:
• Search for a certificate by entering the certificate type in the search bar. You can enter all or part of the type to
start the search.
• Filter certificates by any combination of type, status, effective date, whether or not the certificate has expired,
and the commodities, regions, and departments to which it applies. After selecting one or more filter values in
the filter popup, choose Apply to apply them to the Certificates area. To clear filters, in the filter popup, choose
Clear all, then choose Apply.
• Sort certificates by last updated, recently expired, or oldest expired.
• Choose any certificate summary card to open complete certificate details, including links for downloading the
certificate attachment and opening the questionnaire where the certificate was collected. Certificate details
can include associated commodities, regions, and departments. However, that information is only valid for
certificates collected in modular questionnaires, which create a direct relationship between the commodity,
region, and department of the modular questionnaire project and its associated certificates.
 Note
• SAP Ariba doesn't validate the details in certificate answers (effective date, expiration date, and so
on) against associated certificate attachments. Approvers are responsible for comparing the certificate
attachment to the details in the certificate answer to make sure that they match before approving the
associated questionnaire. Approvers can request additional information from the recipient to resolve any
discrepancies.
• If a questionnaire recipient submits a certificate with a past expiration date, the certificate's status can
show as Expiration in Progress for a short time before changing to Expired.
Certificates collected in modular questionnaires include some special features. A template creator in your site
sets up these certificate-related modular questionnaires, which can include both certificate and other types of
questions, usually for a specific subject. Some certificate-related modular questionnaires can ask for multiple
related certificates, while other questionnaires can ask for one critical certificate. A modular questionnaire
project can be applicable to all commodities, regions, and departments, or only to a specific combination, and
the certificates collected in it inherit that commodity, region, and department information from the modular
questionnaire. In addition to the expiration dates of individual certificates, the modular questionnaire project where
they're collected can also expire.
Managing supplier certificates in modular questionnaires involves the following tasks:
• Sending suppliers certificate questionnaires: you can ask suppliers to provide information about their
certificates by inviting them to fill out the relevant modular questionnaires. Depending on your site's solution
package, these certificate-related modular questionnaires can be stand-alone questionnaires, engagement risk
assessments, or included in a process project.
• Approving or denying certificate questionnaires: If you are an approver, you must review supplier answers
and approve or deny their certificate questionnaires [page 291] or questionnaire updates.
• Monitoring certificate status: In addition to viewing certificates in the Certificates area of the supplier 360°
profile, you can monitor certificates collected in modular questionnaire by:

• Receiving email notifications: depending on how a modular questionnaire is set up, if you're a supplier's
primary supplier manager or an owner of the questionnaire project, you can receive email notifications for
upcoming and lapsed expirations. These notifications can be for a specific certificate or for the modular
questionnaire project as a whole.
• Monitoring questionnaire status: you can view the status of modular questionnaire projects associated
with the supplier, as well as the questionnaires themselves, in the Questionnaires area of the supplier's
360° profile. A modular questionnaire project status of Expiring or Expired can mean that the
questionnaire project itself has an expiration schedule. Certificate questions in modular questionnaires can
also be set up so that a certificate expiration changes the questionnaire's status to Expiring or Expired.
Certificate expirations themselves are always based on the certificate expiration date and aren't affected
by the status of the modular questionnaire project in which they're collected.
Related Information

Inviting Suppliers to Fill Out Stand-Alone Modular

Questionnaires
To invite suppliers to fill out stand-alone modular questionnaires, you send invitations to the supplier contacts.
Modular questionnaires are individual questionnaire projects that ask sets of related questions about specific
subject, such as questions about supplier certificates in different areas or questions related to specific risk
controls.
Prerequisites
To send stand-alone modular supplier management questionnaires, you must be a member of the SM Modular
Questionnaire Manager group.
To add, edit, or delete a supplier contact in the supplier 360° profile or when inviting a supplier to a questionnaire,
you must be a member of one of the following groups:
• Supplier Registration Manager

• SM Ops Administrator
• Customer Administrator
• Category Manager
• Commodity Manager
• Event Administrator

• Limited Event Administrator
• Sourcing Project Administrator
• Supplier Project Administrator
• Supplier/Customer Manager
• Supplier/Customer Agent
Context
You can invite multiple suppliers to fill out multiple stand-alone modular questionnaires in a single operation.
This invitation is for stand-alone questionnaires, meaning that the invitation isn't related to a specific supplier
management process. In sites that include SAP Ariba Supplier Risk, control-based engagement risk assessment
projects include modular questionnaires for specific risk controls. Invitations to risk assessment questionnaires
are part of the engagement project workflow. In sites where the process project feature (SM-16798) is enabled,
process projects include modular questionnaires that are applicable to the process's commodities, regions, and
departments, and questionnaire invitations are part of the process project creation or renewal workflow. Stand-
alone modular questionnaires are always external. Modular questionnaires in engagement risk assessment projects
or process projects can be either external or internal.
You can only send stand-alone modular questionnaire invitations to suppliers that have at least one supplier
contact with an associated email address. The primary supplier contact is the default recipient. However, the
modular questionnaire invitation process allows you to add missing contacts or choose different contacts while
sending the invitation. You can create two different supplier contacts with the same email addresses for a supplier
because the email addresses aren't case-sensitive. For example: you can create emailaddress@company.com
and Emailaddress@company.com.
If the feature for internal forms in modular questionnaires (SM-30222) is enabled in your site, modular
questionnaire projects can also include internal forms. The external questionnaire you send to the supplier is
the key or main questionnaire in the project, and you or another person in your organization fill out and submit
[page 293] the included internal forms as well.
Procedure
1. On the dashboard, choose Manage SM Modular Questionnaires .

2. On the Questionnaire page, choose Filter.
The More options pop-up is displayed. This pop-up contains four types of filters to help you to arrive at
your desired set of questionnaires. You can select one or more of the filters Questionnaire type, Category,
Department, and Region to further narrow down your search using the sub filters under each main filter type.
 Tip
By default, the Questionnaire page shows 10 modular supplier management questionnaires at a time. You
can use the Show more control on this page to append 10 more questionnaires. Each time you click Show
more, 10 more rows are appended to the list.
3. Choose Apply.
The Questionnaire page displays all the questionnaires that meet your filter criteria.

4. From the list of questionnaires displayed now, select the questionnaires you want to send to your suppliers.
Choose Next.
5. Select the suppliers you want to invite to fill out the questionnaires you selected in the previous step.
 Tip
• To search for suppliers to invite, enter a name in the search field or filter the supplier list by choosing
Filters, selecting filters in the navigation pane of the More Options popup, choosing filter values, and
choosing Apply.
• The Questionnaire Status filter helps you narrow down suppliers by the current status of the modular
questionnaire - for example, whether it has not yet been sent, has not been responded to, has been
approved, is pending submission, and so on. The available statuses to choose from are Not Sent, Not
Responded, Pending Submission, Submitted, Pending Resubmit, Pending Approval, Denied, Approved,
Expiring, and Expired. The filter results display only those suppliers that received the questionnaire
after the enhanced pagination and filtering functionality was enabled.
• Currently, choosing Select all selects the first 100 suppliers in the supplier list rather than all suppliers.
To invite additional suppliers beyond the first 100, you must select them individually.
• Each supplier you select is saved, even if the current search results don't show them. The filter list
above the search results shows the number of suppliers you've selected. If you want to remove a
previously selected supplier and it's not currently visible in search results, search for the supplier, then
deselect it.
6. Choose Next.
The confirmation page shows the Supplier good to go tile with a list of selected suppliers have contacts and
are ready for the invitation. There’s also a Supplier missing contact tile. If any of the suppliers you selected
don't have contacts, you can choose this tile to see them.
7. Optional: On the Supplier good to go tile, verify that the primary contact for each listed supplier is the person
you want to invite to fill out the questionnaires. If not, perform the following actions:
a. Choose Change contact.
b. Optional: If the person you want to invite isn't listed as one of the supplier's current contacts and you have
the required permissions, choose Add new contact and add a contact.
c. Select the contact you want to invite and choose Save.
8. If you added any suppliers that don't currently have contacts to the invitation and you have the required
permissions to add contacts, choose the Supplier missing contact tile and add a contact:
9. Choose Send.
Results
Each modular questionnaire you sent generates an invitation email to the supplier contact you specified. The
supplier contact can use the links in the emails to log in and fill out and submit the questionnaires.
If the modular questionnaire project includes internal forms:
• If you're an owner of the modular questionnaire project, you can now fill out and submit any forms that don't
have To Do tasks.
• Owners of To Do tasks for submitting internal forms receive notifications when their tasks become active in the
workflow for the modular questionnaire project.

In the Questionnaires area of the 360° profiles of the suppliers you selected, the Questionnaires tab shows the
modular questionnaire projects you invited them to, while the Tasks tab shows any tasks associated with those
questionnaire projects. Each questionnaire project initially has a status of Not Responded. To see the details and
process flow graphs for a questionnaire project, including any included internal forms, choose View.
If the questionnaire project is approved and it has an expiration schedule, you receive a notification when the
questionnaire project moves to Expiring status and another notification when it moves to Expired status.
Related Information

Enable enhanced filtering and pagination for standalone modular questionnaires [page 374]
Requesting an Update or Changing the Recipient for

a Modular Questionnaire
Use these steps to request an update for a modular questionnaire. This allows you to send the current recipient a
reminder or select a different recipient and invite them to update the questionnaire.
Prerequisites
To request an update or change a recipient for a modular questionnaire, you must be a member of the SM Modular
Questionnaire Manager, Supplier Risk Engagement Expert, or Supplier Risk Engagement Governance Analyst
group.
You can't request an update while the questionnaire is in Pending Submission or Pending Approval status.
Internal modular questionnaires are only available in SAP Ariba Supplier Lifecycle and Performance process
projects and in SAP Ariba Supplier Risk engagement risk assessment projects, where they're used as risk
assessments. Internal modular questionnaires can't be stand-alone projects.
Context
Modular questionnaires can allow continuous updates or permanently close after the submitted answers are first
approved or denied. However, even if a modular questionnaire doesn't normally allow updates, requesting an
update reopens the questionnaire so that the recipient can update it once.

For external modular questionnaires, once supplier contact has opened the questionnaire and viewed it, the
questionnaire is assigned to them and they're the only user in the SAP Business Network account who can view or
respond to it.
If the external modular questionnaire:
• allows updates and is in approval or pending submission state, approvers can deny the questionnaire and then
the questionnaire owner can send it to a different recipient.
• doesn't allow updates, denial is permanent and the questionnaire owner can't send it to any other recipient.
If the modular questionnaire project also includes internal forms, you can request an update for or change the
recipient of the main or key questionnaire in the project. You can't request updates for or change recipients of
internal forms.
In sites where the process project feature is enabled, a process initiator who is also a member of the SM Modular
Questionnaire Manager group can also request a questionnaire update or change recipients when creating or
renewing a process.
Procedure
1. Open the modular questionnaire by performing one of the following actions:
• In the Questionnaires area of the 360° profile, view the questionnaire.

• On the Home dashboard, choose SM Modular Questionnaire in the search context menu, optionally enter
a search term such as the name of the questionnaire, then choose the search icon ( ). On the search
page, choose the name of the questionnaire and choose Open.
• If the modular questionnaire is included in a process, on the process details page, view the questionnaire.
2. Choose Request Update.
• For an internal questionnaire, choose the current recipient or search for and select a different recipient.
• For an external questionnaire, leave the current recipient selected, search for and select a different supplier
contact or (if you have permission to add supplier contacts) add a new contact and choose them as the
recipient.
4. Optional: Enter a comment about the update request or questionnaire reassignment.
• For an internal questionnaire, choose Confirm.

• For an external questionnaire, choose Save.
Results
The current or updated recipient receives an email notification inviting them to submit the questionnaire.
If the questionnaire is set up to generate reminders, requesting an update restarts the reminder schedule.

Scores for Modular Questionnaires
If a modular questionnaire is set up with scoring, it generates a score for each question and section, and an overall
score for the entire questionnaire, based on the respondent's answers and the scoring setup. These scores help
you decide how to evaluate questionnaire answers.
Questionnaire scores are useful because they apply uniform judgments. No matter who is filling out the
questionnaire, the same answers result in the same score. Approvers and other stakeholders don't have to guess
how acceptable or unacceptable the answers are because the scoring provides clear guidelines.
The Questionnaires area of the supplier 360° profile shows overall scores for questionnaires. If your organization
uses process projects, process details pages also show overall questionnaire scores. If a modular questionnaire
project includes internal forms, both the key or main questionnaire in the project and the internal forms can
have scores. However, the key questionnaire score is the project score and shows in the Questionnaires area and
process details page. Scores for any internal forms don't contribute to the overall questionnaire project score.
When you view a questionnaire or form's details page, the questionnaire or form score shows at the top of the page.
The questions and answer details include the score for each question and each section:
Questions with quantifiable (multiple choice or Yes/No) or numeric (number, date, or percentage) answers can be
scored, though they're not always. Questions with free text answers can't be scored.
Scoring information include two components:
• A numerical score that expresses, as a percentage, how many points the question, section, or overall
questionnaire has earned out of the total number of possible points. Questions, sections, and the questionnaire
itself have numerical scores.
An indicator of the scoring band into which the score falls. A scoring band is a grouping that applies a single
label to a range of scores. All scores within the range for a band receive the same judgment and the same label,

such as "Good," "Average," or "Poor." The colored dot to the right of the numerical score shows the color code
for the band, and you can hover over the colored dot to see the name of the band and the range of numerical
scores it covers. Scoring bands only show for section and overall questionnaire scores.
 Note
For each scoring band, the scores equal to or greater than the lowest number in its score range up to but not
including the highest number in its score range fall within the band. For example, if a scoring band has a range
of 50-75, scores of 50 and 74 both fall within the band, but a score of 75 falls outside it.
In all cases, scores and band indicators are based on the most recently submitted answers.
Questionnaire scoring can involve complicated calculations about not only how desirable an individual answer is
relative to others, but how important the question is and how much significance or weight its section has. Some
questions, sections, or entire questionnaires involve critical requirements, while some are about more optional or
less critical information. Depending on the nature of the content, a numerical score of 30 can be unacceptable
in one case, marginal in another, and acceptable in a third. Moreover, the overall questionnaire score isn't a sum
of the score of its sections. Some sections contribute more to the overall score than others. Numerical scores by
themselves are difficult to interpret.
A score's band provides important context for the numerical score. Your organization can use different sets of
scoring bands for different types of information. For example, one set can include only two bands: "Failed" and
"Passed." Another set can include a larger number of graduated bands: "Bad," "Poor," "Average," "Good," and
"Excellent." The template creator in your organization who sets up scoring for a modular questionnaire applies a
specific set of scoring bands to the questionnaire and defines a score range for each band in the set so that you
have the appropriate guidance for interpreting the scores of that particular set of content. The template creator
can also apply different sets of scoring bands with different score ranges to different sections within the same
questionnaire to provide different guidance for those specific sections.
Example
For example, questionnaire or section A can include questions about regulatory compliance that are critical to
your organization. In this case, your organization can apply a strict yes-or-no judgment to the scores in this
questionnaire or section by using the set of scoring bands that include only a "Failed" band (score range of 0-70)
and a "Passed" band (score range of 70-100). Questionnaire or section B can include questions about less critical
regulatory compliance and your organization can apply a looser standard of judgment by using the set of scoring
bands that include "Bad" (0-20), "Poor" (20-40), "Average" (40-60), "Good" 60-80), and "Excellent" (80-100)
bands. In this example, both A and B can have a numerical score of 65. However, because of the different content
involved, a score of 65 means "Failed" in one section and "Good" in the other.

Approving or Denying an External Modular
Questionnaire
If you're in the approval flow for an external modular questionnaire, you can approve or deny it.
Context
New modular questionnaire projects have an approval flow defined by your organization. Depending on how a
modular questionnaire is set up, updates to the questionnaire can have the same approval flow, a different approval
flow, or can be approved automatically.
If modular questionnaire updates have approval flows, or if you've requested more information from the supplier,
the questionnaire details page shows the answers in both the latest version and previous versions so that you can
compare them.
If the feature for internal forms in modular questionnaire projects (SM-30222) is enabled in your site, modular
questionnaire projects can include one or more internal forms in addition to the main or key questionnaire
submitted by the supplier. Approval or denial of the key questionnaire is typically the last step in the workflow
for the modular questionnaire project. For information on approving internal forms, refer to Approving or Denying
an Internal Form in a Modular Questionnaire Project [page 296].
 Note
Once an approver denies the key questionnaire in either a new external modular questionnaire project or
an update, the questionnaire project closes permanently. It remains permanently closed unless a user with
permission to work in the advanced view manually monitors the key external questionnaire and reopens it. This
action does reopen the project but doesn't automatically notify the supplier or form editors that they can now
update the external questionnaire and internal forms again. You can use the Request additional info option to
ask the supplier to provide more acceptable answers using automatic email notifications instead of explicitly
denying the modular questionnaire project and requiring a manual intervention to reopen it.
In sites that include SAP Ariba Supplier Risk, external modular questionnaires are associated with risk controls
in control-based engagement risk assessment projects, and a control decision-maker can't review a control for
effectiveness until all of its associated questionnaire projects are approved.
Procedure
• Click the link in the notification email.

• Locate the supplier on the Supplier Management dashboard and click their name. In the left-hand
navigation bar of the supplier 360° profile, choose Questionnaires. On the Tasks tab, choose  (take
action) for the approval task.
The approval task details page opens.

2. Review the supplier's answers. If you're approving a questionnaire update, to display only the questions with
updated answers, choose Updated. To display all answers, choose All.
3. Optional: If you're approving a questionnaire update, to compare the current answers with versions of the
questionnaire that the supplier submitted before the previous version, choose the version number in the
Previous Version column and select the version.
The Previous Version column shows answers from the selected version. The Latest Version column continues
to show answers from the current update.
• To approve the questionnaire, choose Approve, enter an optional comment, and choose Approve.
• To deny the questionnaire, choose Deny, enter an explanatory comment, and choose Deny.
• To request additional information from the respondent, choose Request Additional Info, enter a comment
explaining what information you want, and choose Request Additional Info.
Results
For new questionnaires, if you are the final approver, the status of the modular questionnaire project is now
Approved or Denied and the supplier is notified of that status by email. If not, the questionnaire project remains
in Pending Approval status until the final approval or denial. If you're the final approver and you approve the
questionnaire, and the questionnaire project is set up to allow updates, the questionnaire reopens so that the
supplier can update it. Any internal forms not associated with To Do tasks in an update phase also become
editable again. If you deny the questionnaire, the project closes permanently. The supplier can't update the external
questionnaire and internal forms editors can't update internal forms.
Any comments that you or other approvers added during questionnaire approval show on both the questionnaire
and approval task details pages, which you can see by viewing the questionnaire or task. Questionnaire details
pages show all comments for all tasks in the project, and you can filter them to just show the comments for the
current questionnaire. Task details pages show only the comments associated with the current task. Depending on
how your site's notifications are set up, approval comments can also be included in approval or denial notifications
to suppliers.
If your organization uses different phases to manage tasks for new questionnaires and questionnaire updates, the
questionnaire details page only shows comments for tasks in the current phase. When the questionnaire is new,
comments for tasks in the new questionnaire phase show. After a recipient submits the first questionnaire update,
only comments for tasks in the update phase show, and the comment history shows comments for all updates. If
the advanced view for the project is enabled and you have permission to view it, you can see comments for tasks in
the new phase by viewing task details on the Tasks tab of the advanced project view.
If you requested additional information during approval of an external questionnaire and entered a comment, the
supplier sees the most recent approval comment when they revise their response to the questionnaire.
Related Information
Comparing Different Versions of a Supplier Management Questionnaire

Approving or Denying an Internal Form in a Modular Questionnaire Project [page 296]
Ratings for Internal Forms and Questionnaires

Ratings can be useful in evaluating responses in internal forms or questionnaires.
Internal stakeholders of your organization can enter ratings in one or more internal forms or internal questionnaires
of a project. Ratings enable your organization to create a formal methodology by which you evaluate responses.
You use ratings to evaluate or "rate" the responses (on various parameters such as delivery, quality, service, price,
compliance, and so on). The final rating is a simple aggregation of all the individual ratings entered by internal users
in their respective internal forms or questionnaires.
These ratings are configured as questions in internal forms or internal questionnaires and can be included as
part of a modular questionnaire project. The project can include external or internal survey questionnaires of type
Questionnaire in addition to one or more internal forms of type Form.
For example, you may want to gather information on certain aspects related to mandatory environmental
compliance, and this project may have several different components. Different internal users can complete forms
in the same internal modular questionnaire project. Or you can have an external questionnaire asking a supplier
to provide information, and include several internal forms in the project so that internal users can provide a rating
of that information. The Total Rating field, if configured in the final form, displays the aggregate of all the ratings
entered by previous task owners in their respective forms.
This functionality is available for both internal and external modular questionnaire projects. To edit an internal form
in a modular questionnaire project, you must be either the project owner or the owner of an active To Do task on
that form.
Filling out an Internal Form in a Modular

Questionnaire Project
Internal forms in a modular questionnaire project typically provide information or analysis to supplement the
project's key questionnaire. If you're the modular questionnaire project owner a To Do task owner for the form, you
can fill it out and submit it.
Prerequisites
The internal forms in modular questionnaire projects feature (SM-30222) must be enabled in your site.
To fill out an internal form in a modular questionnaire project, you must be either the owner of a To Do task
associated with the form or the project owner. To Do task owners can only edit the form while the task is active.

Context
A modular questionnaire project can include one or more internal forms in addition to its key questionnaire. The
key questionnaire is the "main" questionnaire in the project. The recipient of the key questionnaire shows as the
recipient for the entire questionnaire project, and can be a supplier contact (for an external modular questionnaire)
or someone in your organization (for an internal modular questionnaire).
Internal forms can have To Do tasks and approval tasks. If there's no To Do or approval task associated with an
internal form, filling it out is optional. If there's a To Do task associated with an internal form and you're a task
owner, you must submit the form to complete the task. If there's an approval task associated with an internal form,
you or someone else with edit permission must submit the form so that it can be approved and the project can be
completed.
An internal form is editable in the following circumstances as long as the project doesn't have a Denied status:
Questionnaire project stage Editability
New From the time the questionnaire project is created until it fi-
nally approved, internal forms are always editable.
To Do task owners who aren't also the project owner can only
edit the questionnaire while the task is active.
Update After the questionnaire project has been finally approved, in-
ternal forms that don't have To Do tasks are always editable,
even if the key questionnaire doesn't allow updates.
Internal forms that have To Do tasks only become editable

when the modular questionnaire recipient submits an update
to the key questionnaire and the project returns to Pending
Approval status, which is only possible if the key questionnaire
allows updates. The forms remain editable until the update
workflow that includes the key questionnaire is finally approved
and the project returns to Approved status. This behavior ap-
plies whether or not the associated To Do task becomes active
again.
If the project's key questionnaire doesn't allow updates, inter-

nal forms with To Do tasks can't be edited again either once the
project reaches Approved status.
If an approver denies any form or questionnaire in the modular questionnaire project, the project moves to Denied
status and all of its forms and questionnaires close to further updates.
If the owner of a To Do task on an internal form in a modular questionnaire project is a project group, all members
of that project group can potentially edit the form. The first project group member to submit the form and
complete the task then becomes owner of the completed task.

Procedure
1. Locate the supplier on the Supplier Management dashboard and click their name.
2. In the navigation bar of the supplier 360° profile, choose Questionnaires.
• If the form isn't associated with an active To Do task, or if it is but you aren't the task owner: On the
Questionnaires tab, click the name of the questionnaire project where the form is included to open its
details page. In the Questionnaires table, view the form, then choose Edit.
• If the form is associated with an active To Do task and you're a task owner: On the Tasks tab, locate the
task and act on it to open the task details page, where the form is automatically editable.
 Tip
If the modular questionnaire project is included in a process project, you can also view the questionnaire
project by clicking its name on the process details page. From there, you can either view the form and
choose Edit from the Questionnaires table or act on an assigned To Do task from the Tasks table.
4. Fill out the form as needed.

5. Choose Save to save your responses in draft mode, and return later to complete and submit them. Saved
draft versions are not versioned, and only the most recent changes are included. An upgraded template for an
internal form retains draft responses even after it has been upgraded.
Choosing the Cancel option in the Edit page opens a dialog box. If you choose Confirm in the dialog box, you'll
lose all unsaved changes and be redirected to the previous page. If you choose Cancel in the dialog box, you'll
stay on the same page and can continue updating the form.
By default, only the process owner can edit internal forms and save them as drafts. However, the process
owner can request an update from a different recipient and invite them to update the form. The new recipient
can see the responses saved previously and can provide their own responses. The new recipient can also
overwrite previous responses if required, and save the draft again.
• On the details page for the form, choose Submit.

• On the task details page for the form To Do task, choose Mark Complete.
Results
If the internal form has an approval task, that task starts and approvers approve or deny your answers.

Approving or Denying an Internal Form in a Modular
Questionnaire Project
Internal forms in a modular questionnaire project typically provide information or analysis to supplement the
project's key questionnaire. If you're in the approval flow for an internal form in a modular questionnaire project,
you can approve or deny it.
Prerequisites
The internal forms in modular questionnaire projects feature (SM-30222) must be enabled in your site.
Context
Internal forms in a modular questionnaire project can have an approval flow defined by your organization.
Depending on how a modular questionnaire project is set up, updates to the form can have the same approval
flow, a different approval flow, or be approved automatically.
 Note
Approval of the internal form doesn't directly affect the modular questionnaire project's status but is required
to complete the project workflow. Denial of the internal form moves the entire modular questionnaire project
to Denied status and closes it permanently. To reopen it, a user with permission to work in the advanced view
must manually monitor the project's key questionnaire and reopen it. You can use the Request additional
info option to ask the person who submitted the internal form to provide more acceptable answers instead of
denying the form and closing the project.
Procedure
1. Locate the supplier on the Supplier Management dashboard and click their name.
2. In the navigation bar of the supplier 360° profile, choose Questionnaires.
3. Choose the Tasks tab.
The Tasks tab only shows tasks to which you've been assigned.
4. Act on the approval task.
The task details page opens.

5. Review the form answers.

 Tip
If you're approving a form update, to display only the questions with updated answers, choose Updated. To
display all answers, choose All. If the form has been updated multiple times, you can also compare current
answers with previous versions of the form.
• To approve the form, choose Approve, enter an optional comment, and choose Approve.
• To deny the form, choose Deny, enter a required explanatory comment, and choose Deny.
• To request additional information from the respondent, choose Request Additional Info, enter a comment
explaining what information or changes you want, and choose Request Additional Info.
Results
Any comments that you or other approvers added during form approval show on both the questionnaire details
page for the form and on the approval task details page, which you can see by viewing the form or task.
Questionnaire details pages show all comments for all tasks in the current phase for the project, and you can
filter them to show us the comments for the current form. Task details pages show only the comments associated
with the current task in the current phase.
If you're the final approver for the form, your approval completes the approval task and starts the next tasks in the
modular questionnaire project workflow. The project remains in Pending Submission or Pending Approval status,
depending on whether the recipient of the project's key questionnaire has viewed or submitted it.
If you denied the form, the modular questionnaire project moves to Denied status and all forms and questionnaires
in the project close to further edits.
Viewing Modular Questionnaire Projects Based on

Previous Template Versions After Template Upgrade
If a customer administrator in your organization has upgraded a modular questionnaire project to a newer version
of the template, you can see project information across template upgrades, including changes to questionnaires,
internal forms, tasks, and project and message history.
Prerequisites
To access the advanced view of a project, you must be either a member of the SM Advanced View Access group or
the project owner or a member of the SM Ops Administrator group, depending on your site's configuration.

Context
When template creators in your site changes one of your organization's modular questionnaire processes by
updating its project template, an administrator can upgrade the existing modular questionnaire projects that
were created from it to the newer template version. Each template upgrade creates a new modular questionnaire
project with the current project information and automatically archives the previous project based on the previous
template version. The template version menu on the shows all of the template versions that have been applied to
the modular questionnaire project, including the version number and the date on which the version was published.
This template version menu is available on the questionnaire details page (if the modular questionnaire project
includes just a questionnaire) or on the questionnaire project details page (if the modular questionnaire project
includes one or more internal forms in addition to the key questionnaire).
When you select a previous template version, the questionnaire details or project details page updates to show you
the previous, archived project based on that version. Differences in template version can include:
• Different process flow diagrams: The process flow diagram shows the process flow for the modular
questionnaire project based on the template version you select, including tasks and task owners or approvers
in that version.
• Modular questionnaire project status: A customer administrator in your organization can upgrade a modular
questionnaire project to the latest template version when it has a status of Not Responded, Denied, Expiring,
or Expired, or when it has Approved status and an update isn't in approval. The summary reflects the modular
questionnaire project status at the time of upgrade to the selected template version. For example, a modular
questionnaire project can have a current status of Approved for the current template version 3, but can be in
Expiring status for template version 2 and Not Responded status for template version 1.
• Different internal forms: If the feature for allowing internal forms in modular questionnaire projects
(SM-30222) is enabled in your site, modular questionnaire projects can include one or more internal forms
in addition to the key or main questionnaire sent to the recipient. Whether internal forms are included in a
modular questionnaire project, and which forms are included, can change with different template versions.
• Questionnaire and form contents: If the recipient hasn't submitted the questionnaire, or an internal form
editor or To Do task owner hasn't submitted a form, viewing it shows the contents for the selected
template version. Otherwise, questionnaire or form version history reflects changes to content across template
upgrades as well as changes to answers.
If you have permission to access the advanced view of a modular questionnaire project, you can use the template
version dropdown menu to access the advanced view of the selected template version. The advanced view also
includes the following information for the selected template version:
• Questionnaire-specific notifications sent to recipients on the Event Messages tab.

• Questionnaire response activity history in the bid history for individual questionnaires.
• Project history.
• Project documents and tasks, which are always read-only in previous projects. For modular questionnaire
projects, the only way to see previous project tasks based on previous template versions is in the advanced
view.
Procedure
1. In the Questionnaires area of the supplier's 360° profile, on the Questionnaires tab, view the questionnaire
project for which you want to see previous versions.

2. On questionnaire details page or questionnaire project details page, choose a template version from the
template version dropdown menu.
The questionnaire or project details page updates to show you the previous, archived modular questionnaire
project based on that version.
3. (Optional) To access the advanced view of the previous project associated with the selected template version,
click  (advanced view).
Next Steps
If you're in the advanced view of a project that has a previous, archived project from a previous template upgrade,
the Previous Project field on the Overview tab shows its ID, and you can choose the ID to see that previous project.
Related Information
Comparing Different Versions of a Supplier Management Questionnaire
Status Flow for Modular Questionnaire Projects

During the lifecycle of a modular questionnaire project, its status moves from Not Responded to Approved or
Denied. If the project is set up with an expiration schedule, or contains certificate questions that expire, the
questionnaire can also have Expiring or Expired status.
Action Status
The recipient has been invited to fill out the modular question- Not Responded
naire and sent a link where they can do so.
If the modular questionnaire project includes internal forms,

this action refers to the key questionnaire.
The recipient has opened but not submitted the modular ques- Not Responded > Pending Submission
tionnaire.

this action refers to the key questionnaire. Opening internal
forms doesn't change the project's status.

Action Status
The recipient has submitted responses to the modular ques- Pending Submission > Submitted
tionnaire.

this action refers to the key questionnaire. Submission of inter-
nal forms doesn't change the project's status.
The approval process for the modular supplier management Submitted > Pending Approval
questionnaire has started.

this action refers to the key questionnaire. The starting of ap-
proval tasks for internal forms doesn't change the project's
status.
An approver has asked the recipient for more information as Pending Approval
a condition of approving the modular supplier management
questionnaire.

The recipient has resubmitted more information for the mod- Pending Approval
ular supplier management questionnaire and it's back in the
approval process.

All of the approval tasks on all questionnaires and forms in the Pending Approval > Approved
modular questionnaire project have been finally approved.

this action refers to approval tasks on both internal forms and
the key questionnaire.
An approval task in the modular questionnaire has been denied Pending Approval > Denied
project has been denied.

this action refers to any approval task on either an internal
form or the key questionnaire.
The recipient has submitted an update to a modular question- Approved, Expiring, or Expired > Submitted
naire.

this action refers to the key questionnaire. Submitting updates
to internal forms doesn't change the project's status.

Action Status
The approval process for the modular supplier management Submitted > Pending Approval
questionnaire update has started.

this action refers to approval tasks on the key questionnaire.
The starting of approval tasks on internal forms doesn't
change the project's status.
An approver has asked the supplier for more information as a Pending Approval
condition of approving the modular questionnaire update.

The recipient has resubmitted more information for the modu- Pending Approval
lar supplier management questionnaire update and it back in
the approval process.

All approval tasks in the modular questionnaire project related Approved

to the current update have been finally approved.

An approval task related to the current update has been de- Denied
nied.


Action Status
For a new or updated questionnaire, reminder notifications for Approved > Expiring
an upcoming expiration have been sent in one of the following
circumstances:
• The modular questionnaire project itself has an expiration

schedule.
• The questionnaire contains a certificate question that is
configured to update the questionnaire status based on
the certificate's expiration.
If both of these circumstances occur in the same question-

naire, and the certificate's reminders are sent before the ques-
tionnaire's reminders, the certificate's reminders trigger the
status change for the questionnaire.

this action refers to the key questionnaire. Certificate man-
agement features, including expiration of the questionnaire
project, aren't supported in internal forms.
One of the following expiration dates has passed in a new or Expiring > Expired
updated questionnaire:
• The expiration date of the modular questionnaire project

itself if it has been set up with an expiration schedule.
• The expiration date of a certificate question in the key
questionnaire that is configured to update the question-
naire status based on the certificate's expiration.
If both of these circumstances occur in the same questionnaire

and the certificate expires before the questionnaire, the certif-
icate's expiration triggers the status change for the question-
naire.

this action refers to the key questionnaire. Certificate man-
agement features, including expiration of the questionnaire
project, aren't supported in internal forms.
 Note
Modular questionnaire projects contain separate Questionnaire Status and Questionnaire Update Status
fields. For new questionnaires, these status changes occur in the Questionnaire Status field. Once the
recipient has updated the key questionnaire at least once, they occur in the Questionnaire Update Status
field.

Creating and Managing Findings
Use a finding to document a supplier situation that might require remediation, a policy exception, or other special
handling. A finding can be associated with a supplier in general, or with a specific engagement request.
Users initiate findings from within SAP Ariba Supplier Risk. The findings exist within Finding and Event
Collaboration on the SAP Business Technology Platform. This provides you a central launch point for collaborating
with business partners on risks, opportunities and action items.
Creating a Finding [page 303]
How to Access Findings Using the Findings Tile [page 305]
Creating a Finding
Use a finding to document a supplier situation that might require remediation, a policy exception, or other special
handling. A finding can be associated with a supplier in general, or with a specific engagement request.
Prerequisites
Your site is set up to allow creating findings. Sites can allow creating issues or findings, but not both.
Your user must have appropriate permissions: belong to an appropriate group or, in the case of an engagement-
specific finding, have a specific role in the engagement.
• For a general finding, not associated with an engagement, your user must belong to one of the following user
groups:
• For an engagement-level finding: if your user has access to the engagement, you can create a finding for it.
• For a finding associated with a vendor- or engagement-level control: if your user has access to the engagement,
you can create findings associated with controls of these types.
• For a finding associated with a service on a service-level control: your user must be a decision maker for the
control.
Context
You can create a finding associated with an engagement request, or a more general finding concerning a supplier.

Creating and Managing Findings PUBLIC 303
• The supplier for the finding must have at least one contact.
• While your site might be set up to allow processing an engagement request with no supplier specified, a finding
can only be associated with an engagement request that does have a supplier specified.
• To create a finding for an engagement or one of its controls, the engagement must be an original engagement
request, change request, or review that is in progress. You cannot add a finding to a draft or completed
engagement.
Procedure
1. To start creating a finding:
• For a general finding concerning a supplier: navigate to Create Finding .

• For a finding concerning an engagement request: open the engagement. From the engagement page,
choose Action Create finding .
• For a finding concerning a vendor- or engagement-level risk control: navigate to the control from an
engagement with which it is associated, or from the control list page. Click the Create finding button.
• For a finding concerning a service: navigate to the service-level control from an engagement with which it
is associated, or from the control list page. In the list of services on the Control details or Control review
page, choose Action Create finding .
Each of these actions opens a new window where you can enter finding information.
2. For a general finding ( Create Finding ):

a. On the first page, enter the Supplier. Entries for Commodities, Regions, and Departments are optional.
b. Choose Submit to move to the next page. At this point, the values you entered on the first page are saved.
If you click Cancel on the first page, you exit the Create finding page without saving.
c. On the second page, enter other attributes for the finding and optionally add an attachment. For more
information about the attributes, see Finding Attributes in the Finding and Event Collaboration User Guide.
d. Create the finding.
• Choose Submit to create the finding. This opens a new browser window with the Finding and Event
Collaboration dashboard showing your new finding in the list.
• If you click Cancel on the second page, you exit the finding without submitting. The values entered on
the first page are already saved, but any values entered on the second page are not. The finding status
is Draft.
Either choice opens the Finding and Event Collaboration dashboard in a new window. You can close this
window to exit.
3. For a finding associated with an engagement or one of its controls:
a. When you choose Action Create finding or click the Create finding button, a new browser window
opens where you can enter information about the new finding. The Supplier, Commodities, Regions, and
Departments are already filled in according to the values for the engagement.
b. Enter other attributes for the finding and optionally add an attachment. For more information about the
attributes, see Finding Attributes in the Finding and Event Collaboration User Guide.
c. Create the finding.
• Choose Submit to submit the finding.
• Choose Cancel to save the finding without submitting. The finding status is now Draft.
Either choice opens the Finding and Event Collaboration dashboard. You can close this window to exit.

304 PUBLIC Creating and Managing Findings
Results
Any contacts associated with the selected supplier are available to add as external team members. There is no way
to update the list of contacts in the finding after its creation.
Next Steps
To view a finding, you must have access to it as its creator (for a Draft or New finding) or as a user with a role in the
finding such as Finding Response Coordinator.
You can view a finding to which you have access in several ways.
• Click the Findings tile on the Supplier Risk dashboard. This lists both general findings and findings specific to
an engagement or risk control.
In the list, check if any finding is in the New status with an error. You can troubleshoot such a finding, so
that it moves to the In Validation status and is available to the finding management team to work on. For
troubleshooting instructions, see Troubleshooting a Finding Stuck in the New Status.
• The Findings table on the Engagement requests tab of the Supplier 360° shows all findings for that supplier,
both general and engagement- or control-specific.
• The Findings table on the engagement page shows all findings for that engagement.
• On the Control details or Control review page:
• Locate the finding in the Findings tab of the control page for a vendor- or engagement-level control.
• In the list of services for a service-level control, the Findings column contains a link if your user has
permission to open a finding for that service.
Related Information
Setting Up Your Site to Allow Users to Create and Manage Findings
How to Access Findings Using the Findings Tile

Use the Findings tile on the Supplier Risk dashboard to view a list of findings relevant to you. It shows the number
of findings you either created or are assigned to work on.
Prerequisites
Your site must allow creating findings. Sites can be set up to allow creating issues or findings, but not both.
For a Draft or New finding, your user must be the creator of that finding.

Creating and Managing Findings PUBLIC 305
For a finding that has already been submitted, your user must be its creator or have a role for the finding:
• Finding Validator
• Finding Analyzer
• Finding Response Coordinator
• Finding Acknowledger
Context
If the findings feature is not enabled on your site, or if there are no findings relevant to you, the Findings tile is not
visible on the dashboard.
Procedure
1. Navigate to the Supplier Risk dashboard.

2. Click on the Findings tile.
Results
The Finding and Event Collaboration dashboard is displayed, showing the list of findings. The list also displays
errors, if any, for the findings.
Next Steps
• You can narrow your search for specific findings, as described in Searching for Findings.
• You can troubleshoot any finding you created that has remained in the New status with an error. For
instructions, see Troubleshooting a Finding Stuck in the New Status.

306 PUBLIC Creating and Managing Findings
Exporting Data and Running Reports on
Supplier Risk and Related Activities
You can use supplier risk data from exports or analytical reports to help meet regulatory requirements and track
your organization's risk-related activities. SAP Ariba Supplier Risk provides several different tools for reporting on
or exporting the data in your site.
To See or Export This Type of Data... Do This...
Control-Based Engagement Risk Assessment Projects
Control-based engagement risk assessment project data Use the Supplier Risk Engagements API to get control-based
engagement risk assessment project data. The API gets the
data for engagements, issues, and modular questionnaires.
Control-based engagement risk assessment and associated Use SAP Ariba analytical reporting tools. Refer to Analytical
issue management projects, project tasks, and approval flows Reporting for Control-Based Engagement Risk Assessment
and engagement request and issue details questionnaire con- Projects [page 275]. You can export analytical reports as Mi-
tent crosoft Excel workbooks or CSV files.
The new, in progress, or completed engagement risk assess- On the Supplier Risk dashboard, click Engagement Requests,
ment projects you have permission to view, including project then click the New Requests, In Progress, or Completed tile.
name and ID, requester, status, and assessments Above the engagement table, click the download icon  . The
export includes the engagements that show in the table based
on current filters.
The engagement risk assessment issues you have permission On the Supplier Risk dashboard, click Issues. In the upper
to view, including issue name, status, and assignee, engage- right corner of the My Issues page, click the download icon  .
ment name, and associated risk controls The export includes the issues that show in the table based on
current filters.
Risk control activity, including which controls are required for Generate the Risk Control Summary Microsoft Excel report.
different engagements, their status, control owners and deci- Refer to How to Run the Risk Control Summary Report [page
sion makers, and associated assessment questionnaires 272].
Suppliers
Current supplier search results, including supplier name, ERP On the Supplier Risk dashboard, search for suppliers. In the
vendor ID, address, enrichment status, and risk exposure upper right corner of the search results page, click the down-
load icon  .
The suppliers you follow On the Supplier Risk dashboard, in the upper right corner of
the Your suppliers area, click the download icon  . The ex-
port includes the suppliers that show in your followed suppliers
table based on current filters.
The compliance and custom field data added to the suppliers Generate the Risk Category Information API Microsoft Excel
you monitor when using the Risk Category Information API for report. Refer to Running the Risk Category Information API
Supplier Risk Exposure Report.
The licensed third-party provider activity for the suppliers you Generate the Licensed Provider Summary Microsoft Excel re-
submitted for evaluation in your realm port. Refer to Running the Licensed Provider Summary Report.
Your suppliers' overall and category risk exposure Use the Risk Exposure API to get the overall and category risk
exposure for the suppliers you monitor in SAP Ariba Supplier
Risk.

Exporting Data and Running Reports on Supplier Risk and Related Activities PUBLIC 307
To See or Export This Type of Data... Do This...
The overall risk exposure, if the risk exposure override was Generate the Risk Exposure Summary Microsoft Excel report.
used, category risk exposure, and risk levels for the suppliers Refer to Running the Risk Exposure Summary Report.
you follow
Supplier risk activities, including suppliers followed and alerts Generate the Supplier Risk Summary Microsoft Excel report.
received, for all users in your site Refer to Running the Supplier Risk Summary Report.

308 PUBLIC Exporting Data and Running Reports on Supplier Risk and Related Activities
Topics About Managing Legacy Risk
Assessment Projects
 Note
The information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba
Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future
enhancements are planned for them. Control-based engagement risk assessment projects include important
improvements and will continue to add features. Customers with subscription order forms dated after the SAP
Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use
control-based engagement risk assessment projects.
The Legacy Engagement Risk Issue Management Process [page 311]
Viewing and Managing Legacy Risk Assessment Projects [page 312]
How to Request a New Engagement in a Legacy Risk Assessment Project [page 314]
How to Add Approvers to a Legacy Engagement Request or Risk Assessment [page 316]
How to Approve or Deny a Legacy Engagement Request [page 317]
How to Edit a Legacy Engagement Request [page 319]
How to Cancel a Legacy Engagement Request [page 320]
How to Raise an Issue for a Legacy Engagement Risk Assessment [page 321]
How to Define, Analyze, or Resolve a Legacy Engagement Risk Issue [page 323]
How to Send Legacy Engagement-Level Risk Assessments [page 327]
How to Send Additional New or Resend Previously-Sent Legacy Engagement-Level Risk Assessments [page
329]
How to Manually Skip Legacy Engagement-Level Risk Assessments [page 331]
How to Complete a Legacy Internal Engagement-Level Risk Assessment [page 332]
How to Approve or Deny a Legacy Engagement-Level Risk Assessment [page 333]
Supplier or Third-Party Legacy Risk Assessment Project Status Flow [page 335]
Legacy Issue Management Project Status Flow [page 336]
How to Run the Legacy Engagement Summary Report [page 337]
The Legacy Risk Assessment Process

Risk assessment projects provide a process for evaluating the risk or desirability of engaging with a supplier
or other third-party and establishing the potential risk of that engagement. Your company can then determine

Topics About Managing Legacy Risk Assessment Projects PUBLIC 309
whether to undertake the engagement, and if so, whether or not the engagement requires monitoring and what
degree of monitoring might be necessary.
 Note
Some engagements might not need a risk assessment; others, such as consulting engagements that involve access
to confidential information or company networks or facilities, might require stringent risk assessments.
A risk assessment project typically includes four stages:
1. Requesting the engagement and inherent risk assessment: A user in your company who wants to engage
with a supplier or other third party requests a new engagement risk assessment by creating an engagement
request and filling out the engagement request form. This form typically asks detailed initial questions about
the engagement's inherent risk factors both in general and in different risk domains. Depending on its setup, it
might or might not ask the requester to specify the supplier or third-party at this stage. Approvers review the
engagement request, particularly information related to inherent risk, and approve or deny it.
2. Sending detailed engagement-level risk assessments: Once the engagement request is approved, the
governance expert assigned to review the inherent engagement risk sends risk assessments to internal
stakeholders and (if applicable) suppliers or other third parties. Before doing so, the governance expert can
either specify the engagement's supplier for the first time, or change the supplier specified in the request
to a different supplier, depending on the answers in the request. Typically, some of the risk assessments are
specific to the inherent risk domains identified in the request, such as IT, finance, or governance. The recipients
fill out and submit responses to these risk assessments.
3. Responding to risk assessments: Recipients are notified of the assessments they need to fill out. Internal
stakeholders fill out their risk assessments on the engagement page in SAP Ariba Supplier Risk. Supplier
contacts fill out risk assessments on Ariba Network for Suppliers.
4. Evaluating and approving risk assessments: Depending on how your company's assessments are set up, a
residual risk score might be calculated for each assessment based on submitted answers. Approvers evaluate
the answers and the score and approve or deny the risk assessments. If an approver denies at least one of its
risk assessments, the engagement is denied. If approvers approve all of the risk assessments, the requester
can engage with the supplier or third party to fulfill the engagement's purpose.
A governance expert can send out all of the risk assessments for an engagement at the same time; therefore,
no matter how many risk domains are affected by the engagement, or how many experts are specified as
assessment recipients, all applicable risk assessments start at the same time. If it becomes apparent that
additional assessments are needed, a governance expert can then send them out as required at a later time.
In some cases, an engagement might not require engagement-level risk assessments. If your site is configured
to automatically skip assessments for engagements with no recommended assessments, those engagement
automatically moves from the approved request to Completed: Assessments skipped automatically status.
The governance expert assigned to send out risk assessments can also choose to skip the engagement-level
risk assessment process entirely and move the engagement directly from the approved request to Completed:
Assessments skipped manually status based on their judgment of the engagement's requirements.
At any time between when the request is submitted and the engagement is completed or canceled, the requester
and governance experts can create issues to highlight potential problems or concerns with the engagement as

310 PUBLIC Topics About Managing Legacy Risk Assessment Projects
a whole, and then track and resolve them. Requesters and governance experts can also create issues related
to specific engagement-level risk assessments at any time between when the first assessments are sent and
the engagement is completed. Each issue is a separate project with its own workflow and approvals [page 311]
embedded within the supplier risk assessment project.
In solutions that include SAP Ariba Sourcing or SAP Ariba Contracts, the risk assessment project can be made
a predecessor to a sourcing or contract project. With this setup, once the engagement is approved, sourcing or
contract activities will start.
Your site's risk assessment project template defines:
• The form used for the engagement request and the risk assessments that are available, including their content,
scoring, and whether the risk assessments are recommended based on either answers to specific questions
about inherent risk in the request or the request's overall inherent risk score or rating. The content of the
engagement request also determines whether the requester can (or is required to) specify the supplier at that
stage.
• Who is responsible for approving the engagement request and each risk assessment.
The Legacy Engagement Risk Issue Management

Process
Issue management is the process by which internal users, governance experts, and other stakeholders at your
company raise, analyze, and resolve issues related to supplier or third-party engagement risk assessments.
 Note
The nature and severity of an issue, and whether or not it has a satisfactory resolution, is one of the factors that
approvers of engagement risk assessment projects take into account when approving or denying an engagement.
The issue management process provides an automatic and auditable process for gathering all of the relevant
information about an issue and involving relevant experts and other stakeholders in its analysis and resolution. It
includes five stages:
1. Issue creation: a user becomes aware that there is a potential issue with a proposed supplier or third-party
engagement with an assessment project in progress, either with the entire engagement or with a specific
engagement-level risk assessment, and creates an issue in Draft status. The user who creates the issue might
fill out most or all of the information in the Issue details area, including specifying assignee, or might leave
most of the issue's fields blank. The Comments area is not yet available during issue creation.
2. Issue definition: the issue assignee (if there is one at this point) and owners of various issue definition tasks
edit the issue to provide more detailed information, add comments, and complete their assigned tasks. The
issue then moves from Draft to In Progress status.
3. Issue analysis: the assignee (if there is one at this point) and owners of various issue analysis tasks review
the issue details, edit the issue to update or add information if necessary, add comments, and complete

their assigned tasks. They might or might not propose resolutions at this stage. If the issue has not yet been
assigned, they also specify a user who can resolve the issue as the assignee at this point.
4. Issue resolution: the assignee and owners of various issue resolution tasks review the issue information, edit
it to propose or finalize its resolution, and complete their assigned tasks. If the fields of the Inherent Issue
Document area have not yet been filled out, they are finalized at this point.
5. Issue resolution acceptance: task owners complete any other assigned asks related to issue resolution
acceptance and the approvers assigned to the issue review the resolution and finally approve it. The issue then
moves from In Progress to Resolved or Request Denied status.
 Note
The issue creator has permission to edit the issues they have created. The issue assignee has permission to
edit issues to which they are assigned. Members of the Supplier Risk Engagement Governance Analyst group
have permission to edit any issue. Task ownership by itself does not grant a user permission to edit an issue.
Your site's issue management project template defines:
• The fields in the Inherent Issue Document area, which collect information about the issue.
• The tasks in the issue management workflow and their owners.
• Who is responsible for approving the issue resolution.
Related Information
Viewing and Managing Legacy Risk Assessment

Projects
Users who have permission to work with supplier or third-party risk assessment projects can view and track
them on the Supplier Risk dashboard or on individual supplier 360° profiles, from which they can open individual
engagement requests to complete tasks and view details on the engagement page.
 Note
• Viewing and tracking risk assessment projects on the Supplier Risk dashboard and in supplier 360° profiles
[page 313]

• Using the engagement page [page 314]
 Note
Your ability to see and act on individual engagement requests and risk assessments is determined by your
group membership and your assignment to tasks in specific risk assessment projects.
Viewing and Tracking Risk Assessment Projects on the Supplier Risk Dashboard and in Supplier
360° Profiles
The Engagement Requests page, which you access by clicking the Engagement Requests tile on the Supplier
Risk dashboard, shows engagement requests and risk assessments for all suppliers. The Engagement Requests
area on the Risk exposure tab of an individual supplier 360° profile shows engagement requests and risk
assessments for that supplier. The Engagement Requests area in both places includes three tiles, which allow
you to view or manage risk assessment projects at various stages:
• Edit and save or submit your draft engagement requests on the New Requests tile, which shows
engagement requests that you have created and saved but not submitted (in Draft status). Click the
engagement request name to open your draft, finish it, and submit it.
• Track and manage engagement risk assessment projects that are in progress on the In Progress tile:
• View or approve submitted engagement requests: Click the name of an engagement request with
Submitted status to view its details on the engagement page. If you are an approver, you can approve
or deny the engagement request from here [page 317].
• Edit or cancel submitted or approved engagement requests: Click the name of an engagement request
with Submitted or In Assessment status to edit [page 319] or cancel [page 320] it before engagement-
level risk assessments are sent out.
• Raise, track, and resolve engagement risk issues: Click the name of an engagement request with
Submitted, In Assessment, Awaiting Assessment Responses, or Pending Assessment Approval status
to raise [page 321], update, and resolve [page 323] issues at the overall engagement level or the
engagement-level risk assessment level
• Send engagement-level risk assessments: Click the name of an engagement with In Assessment status
to view its details on the engagement page. If you are one of the people responsible for sending risk
assessments for the engagement, you send them from here [page 327].
• View and respond to, or resend, engagement-level risk assessments: If a risk assessment project has
Awaiting Assessment Responses status, you can click its Expand link to view information about each sent
risk assessment, such as its name, when it was submitted (Last assessed date), whether it is internal or
external, whether it was used in a previous risk assessment project for the same supplier, who it was sent
to, and its target and residual risk exposure.
You can click the View button next to a submitted assessment, or an open assessment that you are not
responsible for filling out, to see it. If you are the assigned respondent for an assessment, you see a
Start button instead, and you can click it to complete and submit the assessment [page 332]. If you are
one of the people responsible for sending the engagement's assessments and a respondent has not yet
submitted answers to an assessment, or you decide that the engagement requires additional assessments,
you can send additional new or resend previously-sent engagement assessments [page 329].
• View and approve submitted assessments: If an engagement has Pending Assessment Approval status,
you an click its Expand link to view information about all completed assessments. Click the View button
next to a completed assessment to open it.

If you are an approver for an assessment, you can click the engagement name to open its page, then click
Approve in the Pending Tasks table to view and approve or deny the assessment [page 333].
• Review completed and canceled risk assessment projects on the Completed tile.
You can sort some columns, such as Name, by clicking the column name. You can filter other columns, such as
Status, by clicking the filter icon ( ) in the column header, then choosing values by which to filter. To export the
list of risk assessment projects on any of the tiles in the Engagement Requests area to a Microsoft Excel file, click
the Export link. The exported file includes the list of risk assessment projects on the tile based on current filters
and sorting.
For each assessment associated with an engagement request, a red alert icon ( ) displays next to residual risk
exposures that are lower than their target exposure.
Using the Engagement Page
Once a supplier or third-party engagement request is submitted, users with the appropriate permissions can click it
to open the engagement page. Users who are members of risk engagement analyst, governance, or expert groups,
are in the approval flow of the request or one of the assessments, or are the recipient of one of the assessments
can view this page.
This page includes the following sections:
• Engagement request detail: information about the engagement request, including the engagement ID
number, title, requester, date created, inherent risk exposure and rating (if they have been set up in your
site) and information about any associated supplier, commodity or service, and region.
• Process: a status graph that shows where the engagement risk assessment's current position in the process,
and a task table where you can view tasks and their associated risk assessment questionnaires, and where
task owners or approvers complete their assigned tasks. You can also see the most recent responses to any
assessment questionnaires that the engagement's supplier filled out for a previous engagement, but that were
not send for the current one.
• Risk Assessment Questionnaires: the full, completed engagement request.
How to Request a New Engagement in a Legacy Risk

Assessment Project
The engagement request is the first step in a risk assessment project. Creating an engagement request starts the
process where approvers assess its inherent risks and approve or deny the request.
Prerequisites
 Note

You must be a member of the Supplier Risk Engagement Requestor group to create an engagement request.
Context
Depending on how your company has set up the inherent risk screening questions in the engagement request, the
answers you provide to the initial questions might expose additional questions for you to answer.
Procedure
1. On the dashboard, click Create Engagement Request .
The engagement request form opens.

2. Enter information on the form. Required questions are indicated by an asterisk (*).
• Click Save to save your current answers and return to finish the questionnaire at a later time.
• Click Submit to submit the engagement request.
• Click Cancel to delete the engagement request.
Results
If you have submitted the engagement request, it has the status Submitted. The approvals it requires depend on
how your company has set up its risk assessment projects.
If you have saved but not submitted the engagement request, it has the status Draft.
Next Steps
You can view the new engagement request on the Supplier Risk dashboard. In the Engagement Requests area,
click the New Requests tile. In the Action column, click View to open the request. If your request is still a draft, you
can complete and submit it from here, or you can delete it if you decide it is no longer necessary.
After you have submitted the request, approvers review your answers and either approve or deny it. If it is
approved, a governance expert at your company might or might not initiate additional risk assessments based on
your answers; if they do, approval of the engagement requires the approval of all additional risk assessments as
well. You can monitor your request's progress on the In Progress tile in the Engagement Requests area.

After you have submitted an engagement request, and after it has been approved but a governance expert has not
yet sent engagement-level risk assessments for it, you can edit it [page 319] or cancel it [page 320]. You can also
raise [page 321] and help resolve [page 323] issues for the engagement.
Related Information
How to Edit a Legacy Engagement Request [page 319]

How to Cancel a Legacy Engagement Request [page 320]
How to Add Approvers to a Legacy Engagement

Request or Risk Assessment
Depending on its setup, engagement requests or engagement-level risk assessments might allow governance
experts to add ad hoc approvers on their judgment of the current risk assessment project's requirements rather
than using a template-defined approval flow.
Prerequisites
 Note
You must be a member of the Supplier Risk Engagement Governance Analyst group to add approvers to an
engagement request or risk assessment.
You can only add approvers to a request or assessment if it has no approval flow defined for it in the template.
Context
approvers. If you choose a user group, the first member of the group to respond approves or denies the request

or assessment. If you select multiple users or groups, they are all added as parallel approval nodes in the approval
flow.
Procedure
1. From the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, in the
Engagement Requests area, click the In Progress tile, locate the engagement, and click its name.
2. In the Pending Tasks list, locate the approval task and click Add Approver.
3. Use the arrow buttons to page through the list of available approvers, or enter group or user names in the
Search field, to locate the approvers you want to add.
5. Click Update.
Results
The users or user groups are added to the approval flow. Users and the individual members of user groups added to
the approval flow receive a notification that they need to approve the request or assessment.
Related Information

How to Approve or Deny a Legacy Engagement

Request
If you are in the approval flow for a supplier or third-party engagement request, you can approve or deny it.
Context
 Note

Newly submitted engagement requests are in Submitted status. Engagement requests that have had at least one
approval in the approval flow are in In Approval status.
If you are a member of the Supplier Risk Engagement Governance Analyst group, and you believe that an
engagement request requires further investigation or mitigation, in addition to denying it, you also have the option
of approving it but raising an issue for it [page 321].
Procedure
• Click the link in the email notification to open the engagement request.
• From the Engagement Requests tile on the Supplier Risk dashboard or in a supplier 360° view, in the
2. Review the answers to the engagement request in the Risk Assessment Questionnaires area. If your site has
inherent risk scoring set up for engagement requests, you can also view its exposure and any associated risk
ratings in the Engagement request detail area at the top of the page.

6. Click Done.
Results
If you are the final approver and you approve the request, the risk assessment project moves to In Assessment
status and a governance expert can send engagement-level risk assessments to external or internal stakeholders. If
you deny the request, it moves to Request Denied status and no further action can be taken.
Related Information


How to Edit a Legacy Engagement Request
The requester and governance experts can edit an engagement request to add or change details that weren't
available until after the request was submitted or approved, and that might impact which engagement-level risk
assessments the governance user wants to send for it.
Prerequisites
 Note
To edit a submitted or approved engagement request, you must be the requester or a member of the Supplier Risk
Engagement Governance Analyst group.
Context
You can edit an engagement request when it is in Submitted or In Assessment status. After a governance expert
has sent at least one engagement-level risk assessment for it and the engagement risk assessment project has
moved to Awaiting Assessment Responses status, you can no longer edit the engagement request.
Procedure
2. In the Risk Assessment Questionnaires area, which shows the engagement request, click Edit.
3. Modify previous answers to the engagement request as necessary.
4. Click Submit.
Results
Depending on your company's engagement risk assessment project setup, the changes you make might change
the engagement-level risk assessments that are recommended for this engagement request.

Related Information

How to Cancel a Legacy Engagement Request

When a requester or governance expert realizes that an engagement is not needed, they can cancel it to remove it
from the pipeline before the respondents spend time filling out engagement-level risk assessments for it.
Prerequisites
 Note
To cancel an engagement request, you must be the requester or a member of the Supplier Risk Engagement
Governance Analyst group.
Context
You can cancel engagement requests in Submitted and In Assessment status. Once a governance expert has sent
out at least one engagement-level risk assessment and the engagement risk assessment has moved to Awaiting
Assessment Responses status, you can no longer cancel it.
Procedure
2. In the Engagement Request Detail area at the top of the page, choose Action Cancel .
3. Click OK.

Results
The engagement risk assessment project is now in Cancelled status. You can view it on the Completed tile of the
Engagement Requests area.
Related Information

How to Raise an Issue for a Legacy Engagement Risk

Assessment
If a potential supplier or third-party engagement has a problem that might require remediation, exceptions from
company policy, or other special handling, you can create an issue for it during the engagement risk assessment
process.
Prerequisites
 Note
To create an issue for an engagement risk assessment, you must be either the user who created the engagement
request or a member of the Supplier Risk Engagement Governance Analyst group.
You can assign new issues to any member of the Supplier Risk User, Supplier Risk Manager, Supplier Risk
Engagement Requestor, Supplier Risk Engagement Analyst, Supplier Risk Engagement Expert, and Supplier
Risk Engagement Governance Analyst groups.

Context
You can create an issue for an engagement risk assessment at any point from the time the request is submitted
until the engagement risk assessment is completed. You can create the issue at the overall engagement level or for
a specific sent or previous assessment in the engagement.
Procedure
1. Open the engagement request.

• To create an engagement-level issue, in the upper right corner of the engagement page, choose Action
Create issue .
• To create an issue for a specific assessment, click Create issue to the right of the recipient's name.
3. Enter a title and description for the issue.
4. Choose the person who can resolve the issue from the assignee dropdown menu.
5. Choose a severity from the severity dropdown menu.
6. If you have a deadline by which the issue must be resolved, use the calendar chooser to choose a due date.
7. Add any other necessary information for the issue.
8. Click Submit.
Results
Submitting the issue creates an issue management project in Draft status and starts its workflow.
Automatic email notifications inform you, the assignee, and members of the Supplier Risk Engagement
Governance Analyst group of the new issue and of any subsequent updates.
Next Steps
You can view the issue, its process flow, and its tasks either from the My Issues tile on the Supplier Risk dashboard
or by clicking the flag icon ( ) next to the engagement’s name on the engagement page. If you created the
issue for a specific assessment, you can also view it by clicking the flag icon ( ) to the right of the assessment
recipient's name.
Related Information

Legacy Issue Management Project Status Flow [page 336]
How to Define, Analyze, or Resolve a Legacy

Engagement Risk Issue
The engagement risk issue management process can assign you tasks for defining, analyzing, or resolving an issue
that someone at your company has raised for a supplier or third-party engagement. Once all of the tasks in the
issue management workflow are completed, the issue closes.
Prerequisites
 Note
If you are a task owner, reviewer, or approver for an engagement risk issue task, but you don't otherwise have
permission to work with engagement risk assessments, you can view and add comments to the issue, but you
cannot view the associated engagement risk assessment. Anyone who has permission to view the issue can also
view details for any of its completed tasks. To edit the issue, you must be either the person who created it, the
assignee, or a member of the Supplier Risk Engagement Governance Analyst group.
To complete an issue-related task, you must be a task owner (for To Do tasks) or be one of the users assigned to its
review or approval flow (for review and approval tasks).
Context
Your company's engagement risk issue management process [page 311] includes steps for defining and analyzing
the issue, proposing a resolution, and approving the resolution. Its tasks assign these steps to various relevant
stakeholders, who receive email notifications when their assigned tasks start. If you are assigned to a task for an
issue, and that task is currently active, you can click a button next to it in the Tasks table to complete it.
Your company's issue management process defines the owner of all issue management tasks before the issue is
assigned. After an assignee is specified for the issue, they automatically becomes the owner of all of the issue's

incomplete tasks. The owner of a To Do task completes the task; the owner of an approval or review task is not
necessarily the approver or reviewer, unless they are also added explicitly to the approval or review flow. However,
the owner of an approval task can resubmit a denied approval task so that the approval flow restarts.
Depending on your role in the issue management process and your permissions, you might edit the issue to add
more information, correct existing information, add comments, attach a document such as a remediation plan or a
waiver, or make a user at your company the assignee before completing your task. Each task in the workflow must
be completed before the next task can start. The issue cannot close until all of its tasks are completed.
The issue page includes a process flow diagram that shows all of the tasks in the workflow, with color coding to
indicate tasks that have been completed. You can hover a mouse over any incomplete To Do task in the flow to see
its owner, and any incomplete approval or review task in the flow to see its currently active approver or reviewer.
Procedure
• Click the link in the task email notification.

View Task Details.
Governance Analyst group, on the Supplier Risk dashboard, click the My Issues tile, then click the issue
name.
2. (Optional) In the Comments area, enter a comment and click Submit.
The Comments area shows your new comment at the top of the comment list.
3. If you need to edit the issue and have permission to do so, perform the following actions:
a. At the top of the issue page, click Edit.
b. Add or modify information in any of the editable fields as needed.
c. Click Submit.
4. In the Tasks area, locate your assigned task and perform one of the following actions:
• For a To Do task, click Mark Complete, then click Yes to confirm that you want to complete the task.
• For a review task, click Complete Review. On the Issue Task Detail page, enter any review comments you
might have, click Confirm Review Complete, and click Done to return to the issue page.
• For an approval task, click Approve/Deny On the Issue Task Detail page, click Approve or Deny, enter
explanatory comments, click Confirm, and click Done to return to the issue page.
Results
The issue management process flow at the top of the issue page updates to show the completed task, and the
next task in the issue management workflow starts automatically. Users with permission to view the issue can click
View next to any completed task to view its details, which include any comments that reviewers or approvers added
when completing review or approval tasks.

If your task is the last task in the issue management workflow and the issue resolution is approved, the issue closes
with Resolved status. If the issue resolution is denied, after the last task is completed, the issue has Request
Denied status.
Next Steps
If an approval task is denied, and you are its owner, you can restart it by choosing Actions Resubmit in
the Tasks area, clicking Resubmit on the Issue Task Detail page, entering any optional comments and clicking
Confirm Resubmit, and clicking Done. The approval flow then restarts, and approvers can reevaluate the issue and
either approve it this time or deny it again.
Related Information

How to Add Approvers or Reviewers to a Legacy

Engagement Risk Issue
Depending on their setup, approval or review tasks for engagement risk issues might allow the issue project owner
to add an ad hoc reviewer or approver based on their judgment of the issue's requirements instead of using a
template-defined approval or review flow.
Prerequisites
 Note
To add approvers to an approval task or reviewers to a review task in an issue, you must be a member of the issue's
Project Owner group as defined in your site's issue management project template.
You can only add approvers or reviewers to an issue management task if there are no approvers or reviewers
defined for it in the project template.

Context
approvers or reviewers. If you choose a user group, the first member of the group to respond reviews, approves, or
denies the issue. If you select multiple users or groups, they are all added as parallel nodes in the approval or review
flow.
Procedure
View Task Details.
Governance Analyst group, on the Supplier Risk dashboard, click the My Issues tile, then click the issue
name.
2. In the Pending Tasks list, locate the approval or review task and click Add Approver or Add Reviewer.
4. Click Update.
Results
The users or user groups are added to the approval or review flow. The users and individual members of the groups
receive notifications letting them know that they must complete the task.
Related Information

How to Send Legacy Engagement-Level Risk
Assessments
Engagement-level risk assessments follow up on the inherent risk information provided in the engagement request
by soliciting more detailed information both in general and in specific risk domains from various internal and
external stakeholders and experts.
Prerequisites
 Note
You must be a member of the Supplier Risk Engagement Governance Analyst group to send engagement-level
risk assessments.
Only members of the Supplier Risk Engagement Analyst, Supplier Risk Engagement Expert, Supplier Risk
Engagement Governance Analyst, and Supplier Risk Manager groups are included on the list of recipients to
whom you can send internal risk assessments.
Only the contacts defined for the engagement's supplier are included on the list of recipients to whom you can
send external risk assessments. If you want to send an external risk assessments, and the engagement request did
not specify a supplier, you must set one as part of this procedure before you can specify external recipients. If the
supplier you specify does not currently have any available recipients, you can add them on the Contacts tab of the
Overview tile in the supplier's 360° profile.
Context
Supplier or third-party risk assessment projects do not require engagement-level risk assessments. If a specific
engagement does not require assessment beyond the inherent risk questions in the engagement request, you can
skip this process [page 331].
The number of risk assessments you can send depends on your company's risk assessment process is set up.
You send external risk assessments to the supplier specified for the engagement, and internal risk assessments to
other stakeholders or experts in your company.
 Note
If the engagement request does not specify a supplier, you can do so before sending the risk assessments, and
you must do so if you want to send an assessment to an external recipient. You can also specify a different

supplier than the one in the engagement request. This is your final opportunity to set the supplier for the
engagement; you cannot change the supplier after you have either sent or skipped the risk assessments.
Risk assessments are recommended based on how your company's risk assessment process is set up. Either
answers to specific questions about inherent risk in the engagement request or the engagement request's overall
inherent risk exposure can generate recommendations.
If a previous risk assessment project for the same supplier included any of currently available risk assessments in
the past year, you can see who submitted the previous assessment, when, and its residual risk exposure, as well
as viewing the previous answers. Based on that information, you can decide whether to send the risk assessment
again or use the most recent previous answers.
Procedure
3. Review the selected supplier. If there is no selected supplier and the engagement involves a supplier or
third-party, or if you want to select a different supplier from the one specified in the engagement request,
perform the following steps:
a. Start entering the name of the supplier you want to specify for the engagement in the Search field, then
choose from the list of matching suppliers.
b. Click Set Supplier.
4. Choose the risk assessments you want to send:
a. Recommended assessments are always checked by default. Uncheck any that you do not want to send.
b. Check any additional assessments you also want to send.
 Tip
To see the contents of an assessment, click Preview to review it, then click Done to return to the send
assessments page.
5. For each checked assessment, click Send to and check the users at your company (for internal risk
assessments) or the supplier contacts (for external risk assessments) to whom you want to send the
assessment, then click Update.
6. Click Send Assessments.
Results
The recipients you chose receive email notifications inviting them to fill out and submit the assessment. The risk
assessment project moves from In Assessment status to Awaiting Assessment Responses status.

Next Steps
After sending out the first round of assessments, if recipients are not responding promptly, or if you decide
that additional assessments are needed, you can send additional assessments or resend any previously-sent
assessments to either the same recipient or a different recipient [page 329].
Related Information

How to Send Additional New or Resend Previously-Sent Legacy Engagement-Level Risk Assessments [page 329]
How to Send Additional New or Resend Previously-

Sent Legacy Engagement-Level Risk Assessments
If you have not received risk assessment responses within the expected time frame, you can resend them to either
the same recipient or a different one. If you decide that additional engagement-level risk assessments are needed
after the first round, you can send additional new assessments.
Prerequisites
 Note
You must be a member of the Supplier Risk Engagement Governance Analyst group to send engagement-level
risk assessments.
Only members of the Supplier Risk Engagement Analyst, Supplier Risk Engagement Expert, Supplier Risk
Engagement Governance Analyst, and Supplier Risk Manager users groups are included on the list of recipients
to whom you can send internal risk assessments.

Only the contacts defined for the engagement's supplier are included on the list of recipients to whom you can send
external risk assessments. You can add new contacts for a supplier on the Contacts tab of the Overview tile in the
supplier's 360° profile.
Context
Resending a risk assessment to the current recipient can provide a reminder that they owe you a response. If the
current recipient has left the company or changed roles, or is on vacation or otherwise unavailable and will not be
able to respond in the necessary time frame, you can resend the assessment to a different recipient instead.
You can also send additional risk assessments while previous assessments are still in progress.
You can resend previously-sent risk assessments or send new additional risk assessments while the engagement
risk assessment project is in Awaiting Assessment Responses or Pending Assessment Approval status. Once
the final risk assessment has been approved or denied and the engagement risk assessment project moves to
Completed status, you can no longer send risk assessments for it.
Procedure
2. In the Completed Tasks list, for the To Do task to send assessments, click View.
• On the list of sent assessments, click Resend for the risk assessments you want to resend.
• On the list of previous assessments or unsent assessments, click Send for the additional risk assessments
you want to send.
4. Check the users at your company (for internal risk assessments) or the supplier contacts (for external risk
assessments) to whom you want to send the assessment. For assessments you are resending, the users you
check can be the original recipients or different recipients.
5. Click Send assessments.
Results
The recipients you selected receive email notifications inviting them to fill out and submit the risk assessments. If
you selected a new recipient for a previously-sent assessment, the original recipient no longer has access to it.
Related Information


How to Manually Skip Legacy Engagement-Level Risk

Assessments
Manually skipping engagement-level risk assessments moves the supplier or third-party risk assessment project
from the approved engagement request directly to Completed: Assessments skipped manually status.
Prerequisites
 Note
You must be a member of the Supplier Risk Engagement Governance Analyst group to skip risk assessments.
Context
Risk assessment projects do not always require engagement-level risk assessments. Depending on your company's
processes and governance rules, there might be circumstances where those engagement-level risk assessments
are not necessary at all for specific engagements. There might also be cases where the supplier has recently
completed all necessary risk assessments for previous risk assessment projects and provided satisfactory
answers, and you want to use those previous assessments rather than asking the supplier to fill them out again. You
can then manually skip the step of sending out the risk assessments for the current engagement, moving its status
directly to Completed: Assessments skipped manually status.
If your site is configured to automatically skip assessments for engagements with no recommended assessments,
you only need to manually skip assessments if you decide that the recommended assessments are not necessary
for that particular engagement; if there are no recommended assessments, the engagement moves automatically
to Completed: Assessments skipped automatically status. If your site does not use this configuration option,
you must always manually skip assessments if you decide that an engagement doesn't require them, even for
engagements with no recommended assessments.

Procedure
3. Uncheck any currently checked risk assessments.
4. Click Skip Assessments.
Results
The risk assessment project moves directly to Completed: Assessments skipped manually status.
Related Information

How to Complete a Legacy Internal Engagement-

Level Risk Assessment
If you have been made the recipient of an internal risk assessment, you must complete the assessment To Do task
by filling out and submitting it. These assessments allow various stakeholders at your company to evaluate the risk
of working with a new supplier or third-party on a specific engagement.
Prerequisites
 Note

You must be the recipient of the internal risk assessment, and therefore the owner of its associated To Do task, to
be able to fill it out and submit it. Users who are not owners of an internal risk assessment To Do task can view but
not edit it.
Procedure
• Click the link in the email notification to open the engagement. In the pending tasks list, click the Start
button to the right of the task for your assigned assessment.
2. Fill out the assessment and click Submit.
Results
Your assessment is sent to its designated approvers for review and approval. If you are the last person to submit an
assessment for the current risk assessment project, it moves from Awaiting Assessment Responses to Pending
Assessment Approval status. Otherwise, it remains in Awaiting Assessment Responses status.
Related Information

How to Approve or Deny a Legacy Engagement-Level

Risk Assessment
If you are in the approval flow for a risk assessment, you can approve or deny it. Denying a risk assessment for an
engagement denies the entire engagement.
Context
 Note

If a risk assessment is calculated, you can see whether its residual exposure falls above or below the target
exposure when you review it. Residual exposures lower than the target exposure indicate higher risk.
Procedure
• Click the link in the email notification to open the engagement.

Engagement Requests area, click the In Progress tile, locate the engagement, and click its name..
3. Review the answers to the assessment.

6. Click Done.
Results
After all of the risk assessments associated with an engagement request are approved, the engagement is
automatically approved and has Completed status. If one assessment associated with an engagement request
is denied, and engagement is automatically denied and has Assessment Approval Denied status.
Related Information


Supplier or Third-Party Legacy Risk Assessment
Project Status Flow
Supplier or third-party risk assessment projects move from Draft status to either Completed, Cancelled, or
Assessment Approval Denied status during the course of an engagement assessment.
 Note
Action Status
A user has created a new engagement request but has not yet Draft
submitted it.
A user has completed an engagement request and submitted Draft > Submitted
it.
A user has canceled a submitted engagement request. Submitted > Cancelled
An approver has denied the engagement request. Submitted > Request Denied
In a site configured to automatically skip assessments when Submitted > Completed: Assessments skipped
there are no recommended assessment, an approver has ap- automatically
proved an engagement request that does not generate any
assessment recommendations.
An approver has approved the engagement request and en- Submitted > In Assessment
gagement request has generated assessment recommenda-
tions or the site is not configured to skip assessments if no
recommendations are generated..
A user has canceled an approved engagement request. In Assessment > Cancelled
A governance expert has sent engagement-level risk assess- In Assessment > Awaiting Assessment Responses
ments to internal or external recipients.
A governance expert has manually skipped sending risk as- In Assessment > Completed: Assessments skipped
sessments. manually
All of the respondents have completed and submitted the sent Awaiting Assessment Responses > Pending Assessment
assessments and they have all entered the approval flow. Approval

Action Status
At least one approver has denied an assessment. Pending Assessment Approval > Assessment Approval
Denied
Approvers have finally approved all of the engagement-level Pending Assessment Approval > Completed
risk assessments.
Related Information

How to Complete a Legacy Internal Engagement-Level Risk Assessment [page 332]
Legacy Issue Management Project Status Flow

Issue management projects move from Draft status to either Resolved or Request Denied status during the
course of the issue workflow.
 Note
The status of an issue management project has no direct effect on the status of its associated engagement risk
assessment project. It is for informational purposes only.
Action Status
A user submits a new issue. Draft
Tasks Issue Definition phase are in progress. Draft

Action Status
The last task in the Issue Definition phase is completed. Draft > In Progress
Tasks in the Issue Analysis, Issue Resolution, and Issue In Progress

Resolution Acceptance phase are in progress.
The last task in the Issue Resolution Acceptance phase is In Progress > Resolved.
completed and the issue resolution is approved.
The last task in the Issue Resolution Acceptance phase is In Progress > Request Denied.
completed and the issue resolution is denied.
Related Information

How to Run the Legacy Engagement Summary Report

The Engagement Summary report provides an overview of your company's supplier or third-party engagement
risk assessment projects.
Prerequisites
 Note
To run the Engagement Summary report, you must be a member of the Supplier Risk Engagement Analyst,
Supplier Risk Engagement Expert, or Supplier Risk Engagement Governance Analyst group to run the
Engagement Summary report.

Context
The Engagement Summary report includes the following default fields:
• Risk assessment, with the list of engagement-level risk assessments

• Engagement request, the ID of the engagement risk assessment project
• Name
• Requested on
• Status
• High Risk
• Requested by
• Supplier
• Skipped assessments, with a flag indicating whether or not assessments were skipped
Depending on your company's engagement request setup, you might be able to filter the report by commodity,
region, internal users, and their departments. The report also contains a field for each available filter.
Procedure
1. On the Supplier Risk dashboard, click User settings and configuration.

2. Click Reports.
3. From the Report name dropdown menu, choose Engagement Summary.
4. (Optional) Choose report filters by performing the following actions:
• For commodity, region, and department filters, either click Browse, navigate through the tree, and check a
value, or click Search, start entering a name, and choose from the list of suggestions.
• For user filters, start entering a name and choose from the list of suggestions.
• For Assessments were skipped, choose False to show only engagement risk assessments with completed
assessments, True to show only engagement risk assessments where assessments were skipped (either
manually or automatically), or Not Applicable to show both.
5. Click Generate report.
Results
The page displays the report based on your selected filters.

Next Steps
To sort the online report by column, click on the column name. To view engagement-level risk assessment details
for an engagement risk assessment project, click Expand in the Risk assessment column. To export the current
report to a Microsoft Excel file for use offline, click Export.

Topics About Site Configuration Parameters for
Setting Up SAP Ariba Supplier Risk
Support-Enabled Site Configuration Parameters for SAP Ariba Supplier Risk [page 340]
Self-Service Site Configuration Parameters for SAP Ariba Supplier Risk in Intelligent Configuration Manager
[page 341]
Self-Service Site Configuration Parameters in SM Administration [page 406]
Support-Enabled Site Configuration Parameters for

SAP Ariba Supplier Risk
Some of the functionality for SAP Ariba Supplier Risk is controlled by configuration parameters, which SAP Ariba
Support sets for you.
Application.ACM.PhaseAutoStart (set by SAP Ariba Support)
By default, a phase automatically starts when one of its tasks is marked started or
complete. If Application.ACM.PhaseAutoStart is set to No, users must manually mark
a phase started.
Application.ACM.PhaseAutoComplete (set by SAP Ariba Support)
By default, a phase automatically completes when all of its required tasks are completed. If
Application.ACM.PhaseAutoComplete is set to No, users must manually mark a phase
complete.
SAP
Application.SR.Engagement.AutoSkipAssessments (set by SAP Ariba Support)
Specifies whether or not supplier or third-party engagement risk assessment projects
with engagement requests that do not generate any engagement-level risk assessment
questionnaire recommendations automatically skip the send assessments phase. If this
parameter is enabled, approved engagement requests with no recommended assessments
automatically move to Completed: Assessments skipped automatically status. If it
is disabled, engagement requests with no recommended assessments move to the
send assessments phase, and a governance expert must manually either skip or select
assessments to send. The default setting is No, meaning that engagement requests that do
not generate assessment recommendations still move to the send assessments phase.
 Note
This parameter is only applicable for legacy engagement risk assessment projects.

340 PUBLIC Topics About Site Configuration Parameters for Setting Up SAP Ariba Supplier Risk
Self-Service Site Configuration Parameters for SAP
Ariba Supplier Risk in Intelligent Configuration
Manager
Some of the functionality for SAP Ariba Supplier Risk is controlled by self-service configuration parameters, which
members of the Customer Administrator group can set.
For information about how to manage parameters, see Intelligent Configuration Manager Administration.
Ability to select SAP business network as the data source for assessment responses [page 343]
Add issue assignees to the assignee project group only [page 344]
Allow change requests [page 345]
Allow decision maker to skip an assessment response [page 345]
Allow engagement Project Owner groups to inherit project group membership from the template [page 346]
Allow engagement requests with no supplier [page 347]
Allow no-effectiveness option for control review [page 348]
Allow using control effectiveness levels to evaluate residual risk by risk domain [page 349]
Allow using issues to evaluate residual risk by risk domain [page 350]
Calculate engagement level residual risk by risk domain [page 351]
Calculate inherent risk for engagements by risk domain [page 352]
Calculate supplier level inherent and residual risk by risk domain [page 353]
Calculate task due date based on predecessor completion date [page 355]
Create actions for control reviews and assessments [page 356]
Create actions for engagement To Do and approval tasks [page 357]
Define percentage-based scoring ratings and ranges for engagement questionnaires [page 358]
Define point-based scoring ratings and ranges for engagement questionnaires [page 359]
Disable participant view for supplier management questionnaires [page 360]
Enable action queue [page 361]
Enable advanced archiving workflow for engagement projects [page 362]
Enable advanced engagement editing and canceling [page 363]
Enable advanced send assessment workflow for engagement projects [page 363]
Enable API updates for external modular questionnaires with any status [page 364]
Enable assignee team management on issue projects [page 365]
Enable asynchronous processing of business details and the inherent risk screening questionnaire [page 367]
Enable background processing for periodic review [page 367]

Topics About Site Configuration Parameters for Setting Up SAP Ariba Supplier Risk PUBLIC 341
Enable certificate sections in supplier management questionnaires [page 368]
Enable change project owner action on the engagement page [page 369]
Enable document types for engagement requests originating from non-catalog purchases [page 370]
Enable editability access control for the issue form [page 371]
Enable editing of in-progress change requests [page 372]
Enable engagement request document types [page 373]
Enable engagement review workflow [page 374]
Enable enhanced filtering and pagination for standalone modular questionnaires [page 374]
Enable enhanced status information for assessments and risk controls [page 375]
Enable internal forms in modular questionnaires [page 377]
Enable manage project team action on the engagement page [page 378]
Enable modular questionnaire template creation in sites with a basic supplier management entitlement [page
379]
Enable task enhancements in engagement projects [page 379]
Enable template upgrade [page 380]
Enable the enhanced engagement list [page 382]
Expanded levels of risk control effectiveness [page 383]
Hide names of empty questionnaire sections [page 384]
Import risk assessment data for engagement requests [page 385]
Import risk assessment responses from external systems [page 386]
Include engagement context in assessment notifications [page 386]
Process engagement request questionnaires in the background [page 390]
Process supplemental engagement questionnaires in the background [page 390]
Remove country/region risk as a risk exposure contributing factor [page 391]
Remove obsolete issues [page 393]
Reopen all initial approval phase tasks for insignificant changes requiring approval [page 394]
Reopen post project approval phase with engagement review [page 395]
Require issues for ineffective risk control decisions [page 396]
Require only attachment and expiration date for supplier certificates [page 397]
Require only basic approval for engagement projects with no controls [page 398]
Restrict editing of residual risk ratings based on engagement issues [page 399]
Restrict engagement project visibility by role [page 400]

Restrict issue project visibility by role [page 401]
Reuse respondent answers when resending assessments [page 401]
Set batch size for creating assessment questionnaires [page 402]
Show only registered suppliers in engagement projects [page 403]
Treat control removal as a significant change [page 404]
Use custom logo and footer for emails sent to suppliers [page 405]
Related Information
Intelligent Configuration Manager administration
Ability to select SAP business network as the data source for

assessment responses
Adds the ability to select SAP Business Network as the data source for responses to a modular questionnaire
used as an assessment for engagement requests. This parameter is relevant only when the parameter Import risk
assessment data for engagement requests (Application.SR.Engagement.RiskAssessmentDataImport) is
also enabled.
ID Application.SR.Engagement.ImportResponsesFromBusinessNetwork
Name Ability to select SAP business network as the data source for assessment responses
Default value No
Parameter Value Description
Yes Makes the choice SAP Business Network available in the

Source of responses dropdown on the Rules tab of the modu-
lar questionnaire template.
No SAP Business Network is not available in the Source of

responses dropdown.
 Note
This parameter is only applicable in control-based engagement risk assessment projects. For more information
about these projects, see Setting Up SAP Ariba Supplier Risk.
A member of the Customer Administrator group sets this parameter in the Intelligent Configuration Manager
workspace.

Related Information
Intelligent Configuration Manager Administration

Parameter Management in Intelligent Configuration Manager
Import risk assessment data for engagement requests [page 385]
Business Network
Add issue assignees to the assignee project group only
Specifies whether assignees are added to only the assignee project group in issue management projects or are also
added to the Project Owner group. When assignees are added only to the assignee group, template creators can
define separate task ownership and editability access control for assignees and project owners.
ID Application.SR.IssueManagement.AddAssigneeToAssigneeTeamOnly
Name Add issue assignees to the assignee project group only
Default value No
By default, issue assignees are added to the Project Owner project group as well as the dedicated issue assignee
project group if your issue management project template includes it.
Setting this parameter to Yes adds issue assignees only to the dedicated assignee project group so that they do
not have Project Owner permissions.
In addition to enabling this parameter, if your issue management project template does not already include a
dedicated assignee group, a template creator must also add a project group named Assignee to the issue
management template. The presence of that project group in the published issue management project template is
required for the behavior enabled by this parameter to function correctly.
If you have also enabled Restrict issue project visibility by role [page 401], you can use access control to ensure
that issue creators (members of the Project Owner group) and issue assignees can only edit the appropriate
sections of the issue form and that assignees and creators cannot edit the same sections of the form.
 Note
about these projects, refer to Setting Up SAP Ariba Supplier Risk.
workspace.
Related Information


Allow change requests
Enables the ability to make changes to a control-based engagement risk assessment project after final approval.
Required configuration includes defining change request workflow in the project template.
ID Application.SR.Engagement.AllowChangeRequest
Name Allow change requests
Default value No
This parameter is relevant in sites using control-based engagement risk assessment projects. Its value determines
whether, on the engagement summary page, authorized users can choose Action Change request to trigger
a change request workflow. Use of the Change request action also requires that a change request workflow have
been defined as described in the topic Adding change request workflow to the Supplier Risk Engagement Template.
workspace.
Related Information

Allow decision maker to skip an assessment response

Enables the option for a control review decision maker to skip an assessment
response. This feature also requires enabling the parameter Enable control review workflow
(Application.SR.Engagement.EnableControlReviewWorkflow).
ID Application.SR.Engagement.AllowSkipAssessmentResponse
Name Allow decision maker to skip an assessment response
Default value No
When this parameter is set to Yes, a decision maker can choose to Skip an assessment from the control details
page. This allows them to move on to setting the effectiveness level for the control or service, rather than waiting
for a response.
 Note
Normally, any internal assessment resent during a control reopen is addressed to the original recipient. A
skipped assessment, however, is canceled and thus has no record of to whom it was sent. The control reopen
therefore must use the internal recipients group for internal assessments that were previously skipped.
The topic About Modular Supplier Management Questionnaires in Control-Based Engagement Risk
Assessment Projects indicates that the default list of internal recipients is all members of the Project Owner
project group for the engagement risk assessment project. When resending an internal assessment as part of

a control reopen, this statement does not apply: because the control reopen occurs outside the context of a
specific engagement request, there is no project owner project group to use as the default.
Thus, neither of the two possible default values for the recipient are available when resending an assessment
that was previously skipped. If planning to allow users to skip assessment responses, it’s therefore important
to ensure that each modular questionnaire template used for internal assessments includes a defined internal
recipients group.
workspace.
 Note
Related Information

Allow engagement Project Owner groups to inherit project

group membership from the template
Allows newly created engagement projects to inherit any project groups that are members of the Project Owner
group in the template. Members of these project groups then have Project Owner permissions in engagement
projects created from the template.
ID Application.SR.Engagement.InheritTemplateGroupsToProjects
Name Allow engagement Project Owner groups to inherit project group membership from the template
Default value No

Parameter value Description
Yes Modifies the standard behavior for determining membership in

the Project Owner project group in newly created engagement
projects. This normally requires using buyer categories or a
team member rules file. With this parameter enabled, new
engagement projects inherit any project groups that are mem-
bers of the Project Owner group in the supplier risk engage-
ment template. Members of these project groups then have
Project Owner permissions in engagement projects created
from the template.
No The standard behavior is unchanged.
 Note
workspace.
Related Information

Allow engagement requests with no supplier
Enables requesters to submit engagement requests for control-based engagement risk assessment projects with
no supplier selected.
ID Application.SR.Engagement.AllowOptionalSupplier
Name Allow engagement requests with no supplier
Default value No
By default, requesters cannot submit engagement requests unless they have selected a supplier for the
engagement. Setting this parameter to Yes allows requesters to successfully submit engagement requests with
no supplier selected.
 Note

workspace.
Related Information

Allow no-effectiveness option for control review
Enables the option for a decision maker to complete a control review task without
rendering an effectiveness decision. Once enabled, disabling this parameter is not recommended.
This feature also requires enabling the parameter Enable control review workflow
ID Application.SR.Engagement.AllowNoEffectivenessOptionForControlReview
Name Allow no-effectiveness option for control review
Default value No
When this parameter is set to Yes:
• A decision maker for a control can choose Action Skip control review rather than setting the
effectiveness level for a control or service.
• The Control effectiveness options choice is available in the Supplier Risk settings ( ). Here you can define
the available reasons for skipping a control review. These reasons appear in a dropdown on the Skip control
review dialog.
workspace.
 Note
Related Information

Defining Reasons for Skipping a Control Review

Allow users to create general and engagement-related
findings
Allows users to create findings from within Supplier Risk. Authorized users can create general findings, or findings
specific to engagements, controls, or services.
ID Application.SR.Engagement.CreateFinding
Name Allow users to create general and engagement-related findings
Default value No
If Yes, users document supplier or engagement concerns using findings. If No, they use issues.
A finding or issue can be associated with an engagement or one of its controls. The findings feature additionally
allows creation of a general finding about a supplier, not specific to an engagement.
If you change from issues (No for this parameter) to findings (Yes for this parameter), users can no longer create
issues, but any issues that already exist are retained. The reverse is true if you switch from findings to issues.
 Note
The ability to create engagement-related findings enabled using this parameter applies only to control-based
engagement risk assessment projects. For more information about these projects, see Setting up SAP Ariba
Supplier Risk.
The ability to create general findings is not limited to sites configured for control-based engagement risk
assessment projects.
workspace.
Related Information
Allow using control effectiveness levels to evaluate residual

risk by risk domain
Enables calculating residual risk by risk domain using control effectiveness levels: makes this method available to
choose on the Engagement risk level configuration page.
ID Application.SR.Engagement.UseControlEffectivenessForResidualRisk
Name Allow using control effectiveness levels to evaluate residual risk by risk domain
Default value No

Yes The option to choose Control effectiveness is available on the

Engagement risk level configuration page as a method for
calculating residual risk by risk domain.
No This option is not shown on the Engagement risk level

configuration page.
When setting this parameter to Yes, you must also enable the following parameters:
• Expanded levels of risk control effectiveness (Application.SR.Engagement.

ExpandedLevelsOfRiskControlEffectiveness)
• Enable control review workflow (Application.SR.Engagement. EnableControlReviewWorkflow)
• Calculate inherent risk for engagements by risk domain
(Application.SR.Engagement.DomainBasedInherentRisk)
For a description of the full configuration workflow for setting up residual risk calculations with visibility into risk
domains, refer to Configuring Residual Risk Calculations by Risk Domain.
 Note
workspace.
Related Information

Expanded levels of risk control effectiveness [page 383]
Allow using issues to evaluate residual risk by risk domain
Enables calculating residual risk by risk domain using issues: makes this method available to choose on the
Engagement risk level configuration page.
ID Application.SR.Engagement.UseControlIssuesForResidualRisk
Name Allow using issues to evaluate residual risk by risk domain

Default value No
Yes The option to choose Issues is available on the Engagement

risk level configuration page as a method for calculating resid-
ual risk by risk domain.
No This option is not shown on the Engagement risk level

configuration page.
When setting this parameter to Yes, you must also enable the parameter Calculate inherent risk for engagements
by risk domain (Application.SR.Engagement.DomainBasedInherentRisk). Residual risk is calculated only
for risk domains that have inherent risk values.
 Note
about these projects, see Setting Up SAP Ariba Supplier Risk
workspace.
Related Information

Calculate engagement level residual risk by risk domain
If Yes, engagement level residual risk is calculated by risk domain, using the configured method (based on control
effectiveness or issues). If No, engagement level residual risk is equal to the maximum residual risk rating from all
its control- and engagement-level issues.
ID Application.SR.Engagement.CalculateEngagementLevelResidualRiskByDomain
Name Calculate engagement level residual risk by risk domain
Default value No
Yes Engagement level residual risk is the maximum residual risk

value from the risk domains represented in the engagement.
No The residual risk for the engagement is the maximum residual

risk rating from all its control- and engagement-level issues.

When you first enable this feature, engagement-level residual risk is calculated using this method from that point
forward; there is no mass re-calculation of residual risk for all engagements. The new residual risk calculation is
used when a change to a given engagement triggers re-calculation: the engagement moves to Completed status, a
change request or review is completed, or there is a change to one of the underlying factors (issues, inherent risk,
or control effectiveness levels) that affect the residual risk.
 Note
When you enable this feature, you are choosing to calculate engagement-level residual risk based on the issues
or control effectiveness for the risk controls on the engagement. In this case, users cannot manually change
residual risk values at the engagement level, and the following parameters related to manual changes are not
relevant:
• Define the amount of change allowed for engagement residual risk ratings
(Application.SR.Engagement.ResidualRiskAllowableChange)
• Restrict editing of residual risk ratings based on engagement issues
(Application.SR.Engagement.EnableIssueBasedRestrictionsOnResidualRiskSelection)
 Note
workspace.
Related Information

Allow using control effectiveness levels to evaluate residual risk by risk domain [page 349]
Calculate inherent risk for engagements by risk domain
Enables inherent risk calculation for engagements segmented by user-defined risk domains. Risk domain weighting
allows internal risk experts to tailor the calculation to reflect the relative importance of each.
ID Application.SR.Engagement.DomainBasedInherentRisk
Name Calculate inherent risk for engagements by risk domain
Default value No
This parameter controls the ability to assign risk domains and domain weights to sections of the inherent risk
screening questionnaire, in order to calculate inherent risk by risk domain.

Yes Inherent risk scoring can be segmented by risk domain.
• Inherent risk screening questionnaire: Assign risk do-

mains to appropriate sections of the questionnaire. De-
fine a weight for each domain, reflecting its relative impor-
tance to the overall risk of the engagement.
• Engagement page: Shows a section listing each risk do-
main and its rating for that engagement.
No Inherent risk scoring is not segmented by risk domain.
 Note
workspace.
Related Information

Calculate supplier level inherent and residual risk by risk

domain
If Yes, supplier level inherent and residual risk is calculated at the supplier level, with visibility into risk domains. If
No, supplier-level inherent and residual risk are not calculated.
ID Application.SR.Engagement.SRRiskScoresCalculationSupplierLevel
Name Calculate supplier level inherent and residual risk by risk domain
Default value No
 Note
When setting this parameter to Yes: The supplier-level inherent and residual risk ratings
are defined to be the most severe rating for any active engagement for that supplier.
Since the engagement-level ratings are the source for generating the supplier-level rating, you
must also enable the parameter Calculate engagement level residual risk by risk domain
(Application.SR.Engagement.CalculateEngagementLevelResidualRiskByDomain).

Yes Overall supplier-level inherent risk and residual risk score and rating are calculated from the engage-
ment-level values. The Engagement requests tab in the Risk area of the supplier 360° shows inherent
and residual risk values at the issue, risk control, engagement, and supplier level.
Supplier-level inherent or residual risk is calculated or recalculated in response to an event that might
change its value. For example:
• If the inherent or residual risk for an engagement for the supplier changes
• If a new engagement request is submitted or an engagement is canceled or archived
 Note
When you enable this feature, supplier-level inherent and residual risk are calculated from that
point forward; there is no mass calculation of overall inherent and residual risk for all suppliers.
The calculation for a supplier is triggered for the first time when one of the above changes occurs.
No Supplier-level inherent and residual risk are not calculated.
 Note
workspace.
Related Information


Calculate task due date based on predecessor completion
date
Determines calculation of the due date for a To Do or approval task with one or more predecessors. If Yes, task due
date is calculated based on the completion date of its predecessors. If No, the start of a phase triggers due date
calculations for all tasks in that phase.
ID Application.SR.Engagement.CalculateTaskDueDateFromPredecessorCompletionD
ate
Name Calculate task due date based on predecessor completion date
Default value No
 Tip
When you set this parameter to Yes, or change it back to No, the new rule for calculating task due date
applies from that point forward. Task due dates that have already been set are not changed. If a phase is later
reopened, for example for a periodic review, due dates for all reopening To Do and approval tasks are handled
according to the setting for this parameter.
• The due date of a To Do or approval task is the latest completion date of its predecessors plus the duration
defined on the Supplier Risk Engagement Template in the task Due date field.
• The due date for a task that has no defined predecessor is the start date of the phase plus the task's duration.
• The task page in the Supplier Risk Engagement Template shows the Due Date entry field as <n> days after all
predecessors are complete.
• A To Do or approval task with one or more predecessors has no due date value until its predecessors complete.
When this parameter is set to No:
• The due date for each task is the start date of the phase plus the task's duration.
• The task page in the Supplier Risk Engagement Template shows the Due Date entry field as <n> days after
parent phase starts.
• Due dates for all tasks in a phase are calculated when the phase starts.
 Example
A phase has three To Do tasks (A1, B1, and C1). Each has a duration of 2 days and none has a defined
predecessor. The phase starts on May 4 so each To Do task has a due date of May 6.
Three approval tasks (A2, B2, and C2) have predecessor relationships as follows:
Task Duration Predecessors
A2 2 days A1
B2 3 days B1
C2 4 days A1, B1, C1
The To Do tasks actually complete later than expected. Task A1 completes on May 10, task B1 on May 8, and
task C1 on May 9.
The due dates for tasks A2-C2 depend on the setting for this parameter.

Task Due date
Parameter Calculate task due date based on predecessor completion date is set to No
A2 Phase start date (May 4) + 2 days = May 6
B2 Phase start date (May 4) + 3 days = May 7
C2 Phase start date (May 4) + 4 days = May 8
Parameter Calculate task due date based on predecessor completion date is set to Yes
A2 A1 completion date (May 10) + 2 days = May 12
B2 B1 completion date (May 8) + 3 days = May 11
C2 Latest completion date of A1, B1, and C1 (May 10) + 4 days =

May 14
workspace.
 Note
Related Information

Create actions for control reviews and assessments

Specifies whether engagement risk control reviews and assessments have actions associated with them.
ID Application.SR.Engagement.CreateActionsForControlsAndAssessments
Name Create actions for control reviews and assessments
Default value Yes
Set this parameter to No if you don't want the related engagement project control reviews and assessments to be
included in the Actions tile and the Actions queue page.
The parameter Enable action queue (Application.SR.Engagement.EnableActionQueue) must be enabled

so the Actions tile is on the Supplier Risk dashboard.
Disable the Create actions for engagement To Do and approval tasks

(Application.SR.Engagement.CreateActionsForToDoAndApprovalTasks) parameter if you don't want
the pending To Do and approval tasks for engagement projects and their associated issues and assessment
questionnaires to be included in the Actions tile and the Actions queue page.

 Note
workspace.
Related Information

Create actions for engagement To Do and approval tasks
Specifies whether pending To Do and approval tasks in engagements and associated issues and assessment
questionnaires have actions associated with them.
ID Application.SR.Engagement.CreateActionsForToDoAndApprovalTasks
Name Create actions for engagement To Do and approval tasks
Default value Yes
Set this parameter to No if you don't want the pending To Do and approval tasks for engagement projects and their
associated issues and assessment questionnaires to be included in the Actions tile and the Actions queue page.
The parameter Enable action queue (Application.SR.Engagement.EnableActionQueue) must be enabled

so the Actions tile is on the Supplier Risk dashboard.
Disable the Create actions for control reviews and assessments

(Application.SR.Engagement.CreateActionsForControlsAndAssessments) parameter if you don't want
the related engagement project control reviews and assessments to be included in the Actions tile and the Actions
queue page.
 Note
workspace.

Related Information

Define percentage-based scoring ratings and ranges for

engagement questionnaires
Defines numeric ranges and names for percentage-based scoring in engagement risk assessment projects. Range
values must be 0 or greater, with no gaps between range, in the format rating name:low value:high value. If there is
any overlap between two ratings, the rating with the higher range is used.
ID Application.SR.Engagement.RiskScoreRanges
Name Define percentage-based scoring ratings and ranges for engagement questionnaires
Default value Low:0:50, Medium:50:75, High:75:100
Range values must be between 0 and 100, with no gaps between ranges, in the format Rating name:low
value:high value.
If there is any overlap between two ratings, the rating with the higher range is used. The default values mean that
scores of 0% to 49% have a low risk rating, scores of 50% to 74% have a medium risk rating, and scores of 75%
to 100% have a high risk rating. Note that the default ranges assume that your pre-grading assigns higher scores
high-risk answers and lower scores for low-risk answers. You can specify any number of ranges, with a maximum
high value of 100%.
workspace.
Related Information


Define point-based scoring ratings and ranges for
engagement questionnaires
Defines numeric ranges and names for point-based scoring in engagement risk assessment projects. Range values
must be 0 or greater, with no gaps between range, in the format rating name:low value:high value. If there is any
overlap between two ratings, the rating with the higher range is used.
ID Application.SR.Engagement.RiskPointBasedScoreRanges
Name Define point-based scoring ratings and ranges for engagement questionnaires
Default value Low:0:60,Medium:60:90,High:90:1000
Range values must be 0 or greater, with no gaps between ranges, in the format Rating name:low value:high
value.
If there is any overlap between two ratings, the rating with the higher range is used. The default values mean that
scores of 0 to 59 points have a low risk rating, scores of 60 to 89 points have a medium risk rating, and scores of
90 to 1000 points have a high risk rating. Note that the default ranges assume that your pre-grading assigns more
points for high-risk answers and fewer points for low-risk answers. You can specify any number of ranges, with a
maximum high value of 1000 points.
workspace.
Related Information

Define the amount of change allowed for engagement

residual risk ratings
Specifies the number of levels that a user is allowed to change the original residual risk rating for an engagement
project. Valid values are 0-4, where 0 means that users cannot edit residual risk ratings at all and 1-4 specify the
number of levels that a user can change the rating.
Full name Application.SR.Engagement.ResidualRiskAllowableChange
Name Define the amount of change allowed for engagement residual risk ratings
Default value 4
Residual risk ratings for engagement risk assessment projects are numbers between 1 and 5. The original residual
risk rating for an engagement project is based on the highest residual risk rating of the issues associated with the
engagement. Residual risk ratings for issues are, in turn, based on issue severity and probability.
Since there are only 5 possible residual risk ratings, the default value of 4 means that users can change residual risk
ratings by any number of levels. Setting this parameter to 0 means that users cannot edit residual risk ratings at all.

Setting this parameter to a number between 1 and 4 allows users with the appropriate permissions to change the
residual risk rating of an engagement project from its original rating by that number of levels up or down.
 Note
 Note
This parameter is not relevant in sites configured to calculate residual risk by risk domain. In these sites,
residual risk values are automatically updated based on the issues or effectiveness levels for controls.
workspace.
Related Information

Disable participant view for supplier management

questionnaires
Disables or enables the View as Participant option for supplier management questionnaires in project advanced
view. This option allows internal users to update questionnaires as if they were the recipient.
ID Application.SM.HideSMProjectViewAsParticipantAfterEventPublish
Name Disable participant view for supplier management questionnaires
Default value No
By default, internal users who can access the advanced view of a supplier management project can open a
questionnaire in the project on the Documents tab and use the View as Participant option to edit it as if
they were the recipient. To disable this option and prevent internal users with advanced view access from
editing questionnaires, set this parameter to Yes. This parameter's settings don't affect the ability of customer
administrators to act as supplier or internal users to edit questionnaire responses if necessary.
In SAP Ariba Supplier Risk, this setting is only applicable to modular questionnaires.
workspace.

Related Information

Enable action queue

Enables the action queue showing a list of actions available.
ID Application.SR.Engagement.EnableActionQueue
Name Enable action queue
Default value No
Setting this parameter to Yes does the following:
• Adds the Actions tile on the Supplier Risk dashboard

• Populates the Actions tile and the Action queue page with actions for template upgrade, and periodic review, if
they're configured on your site
The Actions tile on the Supplier Risk dashboard shows the number of open approvals, To Do tasks, and other
actions for control-based risk assessment projects the user is able to act on. The Actions tile takes the user to a
new Action queue page where they can see a list of the open approvals, To Do tasks, and other actions they’re
assigned to either as an individual or as a member of a project group. Users click the linked name to complete the
action rather than going to individual engagement projects or looking for email notifications.
If any actions need immediate attention, determined by due dates or expiration dates, the number of these actions
appear at the bottom of the Actions tile in an orange color. They also show on the Action queue page with the
status Due soon in an orange color, or Overdue in a red color.
Disable the Create actions for engagement To Do and approval tasks

(Application.SR.Engagement.CreateActionsForToDoAndApprovalTasks) parameter if you don't want
the pending To Do and approval tasks for engagement projects and their associated issues and assessment
questionnaires to be included in the Actions tile and the Actions queue page.
Disable the Create actions for control reviews and assessments

(Application.SR.Engagement.CreateActionsForControlsAndAssessments) parameter if you don't want
the related engagement project control review and assessment actions to be included in the Actions tile and the
Actions queue page.
 Note
workspace.

Related Information

Enable advanced archiving workflow for engagement projects
Enables the advanced workflow for archiving control-based engagement risk assessment projects. The simple
workflow archives the project in one step. In the advanced workflow, an archive request starts tasks in an archiving
phase, and the project is archived after those tasks are completed.
ID Application.SR.Engagement.EnableAdvancedArchiveWorkflow
Name Enable change project owner action on the engagement page
Default value No
In sites where the engagement risk assessment project archiving feature is enabled, the default behavior is a simple
archiving workflow where users with the appropriate permissions archive engagement projects in a single step.
Setting this parameter to Yes enables the advanced archiving workflow, where an archive request starts a workflow
defined by tasks in an archiving phase in the engagement risk assessment project template. The engagement
project can only be archived after those tasks are complete.
To fully enable the advanced archiving workflow in your site, in addition to enabling this parameter, a member
of the Template Creator group must also set up the archiving phase in the engagement risk assessment project
template. The advanced archiving workflow does not function correctly without the required project template
configuration.
There is currently no way to upgrade existing engagement risk assessment projects to the latest published version
of the template. The simple archiving workflow allows you to archive any completed engagement risk assessment
project, but the advanced workflow only works in projects that were created from a version of the template that
includes the archiving phase.
 Tip
If you want to implement the advanced archiving workflow, and your site includes completed engagement risk
assessment projects that require archiving but were created from a previous version of the template that did
not include the archiving phase, you can use the simple workflow to archive those projects before enabling the
advanced workflow.
 Note
workspace.

Related Information

Enable advanced engagement editing and canceling

Enables the ability to edit or cancel control-based engagement risk assessment projects at any point before the
project is completed, rather than only up until the point where assessments are sent.
ID Application.SR.Engagement.AllowAdvancedEditCancel
Name Enable advanced engagement editing and canceling
Default value No
By default, users with the appropriate permissions can edit or cancel control-based engagement risk assessment
projects only up to the point where assessments are sent. Setting this parameter to Yes enables the advanced
editing and canceling feature, which allows users to edit or cancel control-based engagement risk assessment
projects in any phase up to the point of final approval and provides a resubmission workflow to handle edits that are
flagged as requiring reapproval or that introduce significant changes.
 Note
workspace.
Related Information

Enable advanced send assessment workflow for engagement

projects
Enables the advanced workflow for sending assessments in control-based engagement risk assessment projects.
The simple workflow sends all assessments in one step. The advanced workflow includes the ability to send
different assessments in separate rounds.
ID Application.SR.Engagement.EnableAdvancedSendAssessment

Name Enable advanced send assessment workflow for engagement projects
Default value No
By default, control-based engagement risk assessments use the simple workflow for sending assessments,
where completing the send assessments To Do task sends all required assessments to default recipients in a
single action. Setting this parameter to Yes enables the advanced workflow, which allows the owner of the send
assessments To Do task to send selected assessments in separate rounds.
 Note
workspace.
Related Information

Enable API updates for external modular questionnaires with

any status
Enables API updates to external modular questionnaires with any status, including questionnaires that are
currently editable by the supplier. By default, API client applications can only update external modular
questionnaires with specific statuses.
ID Application.SM.MQ.AllowUpdateResponseOnAllStatusFromAPI
Name Enable API updates for external modular questionnaires with any status
Default value No
The default setting for this parameter, No, means that client applications can't use the /answers endpoint of
the Supplier Data API with Pagination to update external modular questionnaires with Not Responded, Pending
Submission, or Pending Resubmission status. Questionnaires with these statuses are editable in the supplier view
on SAP Business Network. Setting this parameter to Yes removes this restriction and allows client applications to
use the /answers endpoint to update external modular questionnaires with any status.
For example, when this parameter is enabled, a client application can prepopulate a modular questionnaire with
data from an external system such as an ERP system immediately after a modular questionnaire manager or
process initiator has invited the supplier to fill it out,while it's still in Not Responded status. The invited supplier
contact sees the propopulated answers and can verify them and update them as needed when submitting the
questionnaire for the first time.
The Supplier Data API with Pagination /answers endpoint always allows updates to internal modular
questionnaires with any status regardless of the setting of this parameter.

workspace.
Related Information

Use of the Supplier Data API with Pagination answers Endpoint
Enable assignee team management on issue projects
Specifies whether the button for managing the assignee team shows in the upper right corner of the issue page.
Assignees can be added or removed from the assignee project group in issue management projects by users with
the appropriate permissions.
ID Application.SR.IssueManagement.ManageIssueAssigneeTeam
Name Enable assignee team management on issue projects
Default value Yes
By default, the button for managing the assignee team shows in the upper right corner of the issue page in
Setting this parameter to No, removes the button to manage the assignee team on the upper right corner of the
issue page.
 Note
workspace.
Related Information


Enable asynchronous processing for template upgrade
Enables asynchronous processing for the template upgrade feature for engagements.
ID Application.SR.Engagement.EnableAsyncTemplateUpgrade
Name Enable asynchronous processing for template upgrade
Default value Yes
Asynchronous processing can improve the performance of the template upgrade process, especially if your
supplier risk engagement template is complex and has hundreds of questions, surveys, tasks, and conditions.
With asynchronous processing, you can continue working on something else while the upgrade processes, rather
than waiting for the upgrade to finish.
It is strongly recommended that you leave this parameter set to its default value of Yes.
If this parameter is set to No, template upgrade for an engagement processes synchronously, so you need to wait
for the template upgrade to finish..
To use template upgrade for engagements, the following parameters must also be enabled:
• Enable template upgrade (Application.SR.Engagement.EnableTemplateUpgrade)

• Enable advanced engagement editing and canceling
(Application.SR.Engagement.AllowAdvancedEditCancel )
• Allow change requests (Application.SR.Engagement.AllowChangeRequest)
 Note
workspace.
Related Information

Enable template upgrade [page 380]

Enable asynchronous processing of business details and the
inherent risk screening questionnaire
Enables business details and screening questions to be processed asynchronously, when the parameter Manage
user interactions during update processing (Application.SR.Engagement.UpdateProcessingBehavior)
is also enabled.
ID Application.SR.Engagement.EnableStabilityAsyncDocProcessing
Name Enable asynchronous processing of business details and the inherent risk screening questionnaire
Default value Yes
Yes In the engagement editing wizard, the engagement business

details and inherent risk screening questionnaire are proc-
essed asynchronously.
No The business details and inherent risk screening questionnaire

are processed synchronously.
 Note
workspace.
Related Information

Enable background processing for periodic review

Allows periodic review dates to be calculated for live engagements. Important: Enable this parameter only after
completing the configuration for periodic reviews in Supplier Risk settings as described in the help topics for this
feature. Once enabled, disabling this parameter is not recommended.
ID Application.SR.Engagement.EnablePeriodicReviewBackgroundProcessing
Name Enable background processing for periodic review
Default value No

This parameter determines whether periodic review dates are generated for engagements as engagement requests
are completed. Set this parameter to Yes only after completing the configuration options available within the
settings ( ) area under Configure periodic reviews Engagements .
Setting this parameter is part of a specific sequence of configuration steps for periodic reviews, outlined in the
topic Adding Periodic and Ad Hoc Review to the Engagement Workflow.
workspace.
 Note
Related Information

Enable certificate sections in supplier management

questionnaires
This parameter enables you to configure certificate sections in supplier management questionnaires.
ID Application.SM.CustomizableCertificateSectionSupport
Name Enable certificate sections in supplier management questionnaires
Default value False
The default value of False means that certificate section can't be added in the internal and external modular
supplier management questionnaire template. Setting this parameter to True provides option to add a certificate
section in the modular supplier management questionnaire template.
workspace.
Related Information


Enable change project owner action on the engagement page
Enables users with the appropriate permissions to change the project owner of a control-based engagement risk
assessment project from the engagement page.
ID Application.SR.Engagement.ChangeOwnerAction
Name Enable change project owner action on the engagement page
Default value Yes
By default, the requester who creates a control-based engagement risk assessment project is the explicit project
owner and can’t be removed from its Project Owner project group. You can change the project owner by doing one
of the following:
• Go to Action Manage team in the engagement project. To change the project owner of a control-based
engagement risk assessment project in the engagement project, you must have permission to view the
engagement project page.
• Use a question of type User mapped to project.Owner in either the business details or inherent risk
screening questionnaire in the engagement request, which a member of the Template Creator group must
set up in the project template, and that option is only available when the engagement request is editable.
Only enterprise users are searchable and can be selected. Third-party users aren’t supported.
If a user other than the person who creates the project (the requester) is intended to be the project owner, this
change doesn’t take effect until the engagement project is submitted at least once.
Setting this parameter to No removes the Manage team action from the Action menu on the engagement project
page. Users with the appropriate permissions can no longer use it to change the project owner in any phase of the
project.
 Note
workspace.
Related Information

Enable control review workflow

Enables workflow tools for managing risk control review outside the context of an
engagement project. This feature also requires enabling the parameters Enable action queue

(Application.SR.Engagement.EnableActionQueue) and Create actions for control reviews and
assessments (Application.SR.Engagement.CreateActionsForControlsAndAssessments).
ID Application.SR.Engagement.EnableControlReviewWorkflow
Name Enable control review workflow
Default value No
This parameter determines whether the Control review tab is available within the Configure periodic reviews
option when an administrative user clicks the settings icon ( ). Related tasks include:
• Enabling the Action Queue using the parameter Enable action queue
(Application.SR.Engagement.EnableActionQueue). For decision makers, this makes available:
• The Actions tile on the dashboard, where they can see the control-related actions for which they or a
decision maker group to which they belong are responsible.
• A control details page, accessible from an engagement, the Action queue, or the controls list page. Here
a decision maker can reopen a control review, change its expiration date, resend assessments, and enter
effectiveness decisions.
• Configuring control review workflow setup as described in the topic Setting Up Control Review Workflow.
workspace.
 Note
Related Information

Enable document types for engagement requests originating

from non-catalog purchases
Allows users to define business details and inherent risk screening questionnaires tailored to generating
engagement requests for non-catalog purchases.
ID Application.SR.Engagement.EngagementRequestFromNonCatalogPurchase
Name Enable document types for engagement requests originating from non-catalog purchases
Default value No
 Note
Enabling this parameter adds new options to the dropdown for Engagement request document type.
That dropdown is only visible if the self-service parameter Enable engagement request document types

(Application.SR.Engagement.EnableEngagementRequestDocumentTypes) is already enabled in your
site.
Yes Enables the options for Non-catalog purchase business

details questionnaire and Non-catalog purchase inherent
risk screening questionnaire within the dropdown for
Engagement request document type, on the Rules tab for
documents in the supplier risk engagement template.
No The dropdown for Engagement request document type does

not show these options.
 Note
workspace.
Related Information

Enable editability access control for the issue form
Enables editability access control for the issue form in issue management projects. Template creators can use
editability access control to restrict who has permission to edit specific sections of the issue form based on role.
ID Application.SR.IssueManagement.UseTeamAccessForReadOnly
Name Enable editability access control for the issue form
Default value No
Setting this parameter to Yes enables role-based editability access control for the issue form in issue management
projects. This access control allows you to restrict who can edit specific sections of the issue form based on either
project role or membership in specific global user groups that define project permissions.
If you have also enabled Add issue assignees to the assignee project group only [page 344], so that issue assignees
are not added to the Project Owner project group, you can use access control to ensure that issue creators
(members of the Project Owner group) and issue assignees can only edit appropriate sections of the issue form.

 Note
workspace.
Related Information

Enable editing of in-progress change requests
Enables the ability to edit engagement change requests that have been submitted but not yet processed to
completion.
ID Application.SR.Engagement.AllowChangeRequestEdit
Name Enable editing of in-progress change requests
Default value No
This parameter is relevant in sites using control-based engagement risk assessment projects in which the
parameter Allow change requests (Application.SR.Engagement.AllowChangeRequest) is also enabled.
Its value determines whether, on the engagement summary page for an engagement with a change request in
progress, authorized users can choose Action Edit change request to edit the change request. When the
edit to the change request is submitted, the resulting changes are evaluated for significance and the required tasks,
assessments, and controls adjusted accordingly.
workspace.
Related Information


Enable engagement request document types
Allows users to specify document types for questionnaires on the engagement template. The default types
define questionnaires for creating engagement requests manually. Use additional types for generating engagement
requests from other documents.
ID Application.SR.Engagement.EnableEngagementRequestDocumentTypes
Name Enable engagement request document types
Default value No
Yes Enables the dropdown for Engagement request document

type, on the Rules tab for documents in the supplier risk en-
gagement template.
• By default, the available choices are Default business

details questionnaire and Default inherent risk
screening questionnaire.
• Enable the parameter Enable document types for
engagement requests originating from non-catalog
purchases
(Application.SR.Engagement.EngagementRe
questFromNonCatalogPurchase) as well, to add
the choices for Non-catalog purchase business details
questionnaire and Non-catalog purchase inherent risk
screening questionnaire.
No The dropdown for Engagement request document type is not

visible in the supplier risk engagement template.
 Note
workspace.
Related Information


Enable engagement review workflow
Enables administration and workflow for managing periodic and ad hoc reviews of live engagements.
ID Application.SR.Engagement.EnableEngagementReviewWorkflow
Name Enable engagement review workflow
Default value No
This parameter determines whether the Engagements tab is available within the Configure periodic reviews
option when an administrative user clicks the settings icon ( ). This is the first step toward setup of the periodic
review feature. Ability to start a periodic review also requires that periodic review setup and workflow have been
defined as described in the topic Adding Periodic and Ad Hoc Review to the Engagement Workflow.
 Note
workspace.
Related Information

Enable enhanced filtering and pagination for standalone

modular questionnaires
Enables enhanced filtering and pagination in the workflow for sending standalone modular questionnaires.
ID Application.SM.MQ.EnableStandaloneMQEnhancement
Name Enable enhanced filtering and pagination for standalone modular questionnaires
Default value No
This parameter is one of two required settings to enable enhanced filtering and pagination in the workflow
for sending standalone modular questionnaires, and is set in Intelligent Configuration Manager. The other
required setting is the Application.SM.MQ.EnableStandaloneMQEnhancement parameter in SM Administration
> Configuration Parameters. Always enable or disable both parameters together.
Setting this parameter to Yes allows for content in the standalone external modular questionnaire list to:
• load much faster.

• be filtered based on Questionnaire Type, Category, Department, and Region.
• include additional search filters such as Questionnaire Status of suppliers, and Expiry Date of questionnaires.
• select 500 suppliers instead of 100 suppliers.
workspace.
Related Information

Enable enhanced status information for assessments and risk

controls
Changes several pages that display risk control information to show both status and review decision for each
control. Enables technical changes to ensure consistent assessment status across the user interface, and to derive
control status each time it’s needed for the user interface or the Risk Control Summary report.
ID Application.SR.Engagement.EnhancedAssessmentControlStatus
Name Enable enhanced status information for assessments and risk controls
Default value Yes
Enable this parameter to take advantage of
• Improved methods of determining and displaying assessment and control status in the user interface and in
the Risk Control Summary report
• Greater clarity about the state of each risk control: the engagement page and the control details or control
review page show both status and review decision for each control.

Yes Enables a technical change to ensure consistent assessment

status across the user interface, and to derive control status
each time it is needed for the pages described below or for the
Risk Control Summary report.
On the engagement page and the supplier 360° profile, the

Risk controls table Status column shows the status of the
control. The Review decision column shows:
• The review decision, if there is one, for an engagement- or

vendor-level control.
• Pending or Completed for a service control, depending on
whether all services for the control have review decisions.
The Control review page, used only in sites where the Enable
control review workflow
(Application.SR.Engagement.EnableControlRe
viewWorkflow) parameter is set to No, shows both Status
and Review decision for the control.
• For a vendor- or engagement-level control, this page

shows both the Control status and, if there is one, the
Review decision for the control.
• For a service-level control:
• The Control status field shows the control-level sta-
tus.
• In the list of services, the Review decision field shows
the review decision for each service that has one.

No A synchronization issue can at times cause inconsistency be-

tween the assessment and control statuses shown on different
pages of the user interface.
On the engagement page and the supplier 360° profile, the

Risk controls table Status column shows:
• For a vendor- or engagement-level control: the review de-

cision, if there is one, and otherwise its status.
• For a service-level control: the control-level status.
On the Control review page:
• For a vendor- or engagement-level control: the Control

status field shows the review decision, if there is one.
Otherwise, this field is not present.
• For a service-level control:
• The Control status field shows the control-level sta-
tus.
• In the list of services, the Status field shows the re-
view decision if there is one.
 Note
about these projects, see Setting up SAP Ariba Supplier Risk.
workspace.
Related Information
Enable internal forms in modular questionnaires

Enables or disables support for additional internal forms with To Do and approval tasks in modular
questionnaire projects. Important: enabling or disabling this parameter requires a corresponding change
to the Application.SM.MQEnableInternalFormsinModularQuestionnaires parameter in SM Administration
Configuration Parameters .
ID Application.SM.MQ.EnableInternalFormsinModularQuestionnaires
Name Enable internal forms in modular questionnaires

Default value No
This parameter is one of two required settings that enable or disable support for internal forms with associated
To Do and approval tasks in modular questionnaire projects (SM-30222). You set it in Intelligent Configuration
Manager. The other required setting is the Application.SM.MQEnableInternalFormsinModularQuestionnaires
parameter in SM Administration Configuration Parameters . Always enable or disable both parameters
together.
Internal forms are a way of collecting information in modular questionnaire projects that is additional to or
supplements the information provided by the questionnaire project recipient in the key or main questionnaire.
You can use these internal forms and associated To Do and approval tasks to provide supplementary information or
analysis, or affirm actions performed in other systems.
workspace.
Related Information

Reference of Configuration Parameters in SM Administration [page 406]
Enable manage project team action on the engagement page
Enables users with the appropriate permissions to manage membership of the Project Owner group in control-
based engagement risk assessment projects on the engagement page.
ID Application.SR.Engagement.ManageProjectTeamAction
Name Enable manage project team action on the engagement page
Default value Yes
Setting this parameter to No removes the Manage team action from the Action menu on the engagement project
page. Users with the appropriate permissions can no longer use it to manage the membership of the Project
Owner project group.
 Note
workspace.

Related Information

Enable modular questionnaire template creation in sites with

a basic supplier management entitlement
Enables creation of modular questionnaire project templates in sites that have the basic supplier management
entitlement and a solution package where modular questionnaires are a supported feature.
ID Application.SM.MQ.EnableMQCreationWithSMBasicConfig
Name Enable modular questionnaire template creation in sites with a basic supplier management
entitlement
Default value No
This feature enables the SM Modular Questionnaire project type in the Templates area in sites that have a basic
supplier management entitlement for core supplier management features. You must be a member of both the
Template Creator and SM Modular Questionnaire Manager group to create modular questionnaire templates.
Enabling this parameter isn't necessary if your site includes either SAP Ariba Supplier Lifecycle and Performance
or SAP Ariba Supplier Information and Performance Management (new architecture). Sites that include either
of these solutions automatically include modular questionnaire project templates and other core supplier
management features. However, if your site includes SAP Ariba Supplier Risk without one of these solutions, you
must enable this parameter to create project templates for engagement risk assessments.
workspace.
Related Information

Features and Functions for Managing Suppliers and Supplier Lifecycles
Enable task enhancements in engagement projects
Enables enhancements to certain tasks in control-based engagement risk assessment projects, including the
ability to resubmit some approval tasks; the ability to request more information when approving supplemental

engagement questionnaires; and the ability to save supplemental engagement questionnaires without submitting
them.
ID Application.SR.Engagement.TaskEnhancementsForERProjects
Name Enable task enhancements in engagement projects
Default value Yes
The default setting, Yes, adds the following functionality to tasks in control-based engagement risk assessment
projects:
• Saving supplemental engagement questionnaires that are in progress. When this parameter is set to No,
the owners of To Do tasks for editing supplemental engagement questionnaires must either submit the
questionnaires and complete the To Do tasks or cancel and lose their answers.
• Requesting additional information on supplemental engagement questionnaires. When this parameter is set to
No, approvers can only approve or deny supplemental engagement questionnaires.
• Resubmitting some approvals to change approval decisions. When this parameter is set to No and approvers
complete applicable approval tasks, those approval decisions are final.
 Note
workspace.
Related Information

Enable template upgrade
Enables the template upgrade feature for engagements, allowing users to apply template process updates to
existing engagement projects.
ID Application.SR.Engagement.EnableTemplateUpgrade
Name Enable template upgrade
Default value No
Setting this parameter to Yes adds support for upgrading existing control-based engagement risk assessment
projects to the latest version of the supplier risk engagement template so they can include your organization's most
recent risk processes.

Administrators make engagement projects available for upgrade and project owners complete the upgrades for
individual projects by an optional, configurable due date. Depending on the changes an upgrade introduces to a
project, it can result in opening the project in edit or initiating a change request.
If you enable this parameter, the following must also be enabled:

(Application.SR.Engagement.AllowAdvancedEditCancel)
 Note
The current published version of the template should have a Change Request Owners project group, a
change request initial approval phase, and a change request final approval phase.
If you enable this parameter, it’s recommended that you also enable:
• Enable asynchronous processing for template upgrade

(Application.SR.Engagement.EnableAsyncTemplateUpgrade)
• Enable editing of in-progress change requests
(Application.SR.Engagement.AllowChangeRequestEdit)
• Enable action queue (Application.SR.Engagement.EnableActionQueue)
When you set this parameter to Yes the following user interface changes are added:
• An Upgrade option in the Action menu on the engagement page.

• A Template upgrade activity type on the Engagement history page.
• An Activity: Template upgrade summary section in the engagement history details after clicking the Activity
date on the Engagement history page.
When you set this parameter to Yes the following administrator interface changes are added:
• Preparation for template upgrade and Manage upgrades options on the Supplier risk administration page.
• A Preparation for template upgrade page after clicking Preparation for template upgrade.
• A Template upgrade page after clicking Manage upgrades.
• The Template upgrade page has 2 tabs, Select engagements and View status.
• An Additional settings for template upgrade popup after clicking the Continue button on the Select
engagements tab of the Template upgrade page.
 Note
workspace.
Related Information

Enable advanced engagement editing and canceling [page 363]

Allow change requests [page 345]
Enable editing of in-progress change requests [page 372]
Enable the enhanced engagement list

Enables the enhanced Engagement requests page, which includes new filter and sort options to improve the user
experience when viewing and managing large numbers of control-based engagement risk assessment projects.
ID Application.SR.Engagement.EnhancedEngagementListPage
Name Enable the enhanced engagement list
Default value No
Setting this parameter to Yes adds new filter and sort options on the New requests, In Progress, and Completed
tabs of the Engagement requests page.
If you enable this parameter, it’s recommended that you also enable the feature ARI-6919: Enhancements to
engagement task management. Contact SAP Ariba Support to enable it.
When you set this parameter to Yes the user interface changes in the New requests, In progress, and Completed
tabs on the Engagement requests page:
•  Filter and  Sort links, with the number of applied filters in parentheses, are added at the top of the
engagement list pages.
• The filter and sort ability is removed from the column headers on the engagement list pages.
• The  Filter link opens a Filters for engagement requests popup. The popup includes the filter options for
the information in the columns on the engagement list page. Some filter options have autofill so you can enter
single letters or partial words and choose from the results.
 Tip
To remove the autofill history, clear your browser’s cache.

• The Sort link opens a Sort popup with sort options for the information in the columns on the engagement list
page.
 Note
workspace.
Related Information

Expanded levels of risk control effectiveness
Determines options for control review decisions. If disabled, decision makers choose between Effective
and Ineffective. If enabled, an expanded list of options is available. Once enabled, disabling this feature
is not recommended. This feature also requires enabling the parameter Enable control review workflow
ID Application.SR.Engagement.ExpandedLevelsOfRiskControlEffectiveness
Name Expanded levels of risk control effectiveness
Default value No
• A decision maker for a control has five choices when setting the effectiveness level for a control or service:
• Completely effective
• Substantially effective
• Partially effective
• Substantially ineffective
• Completely ineffective

• The Control effectiveness options page is available in the Supplier Risk settings ( ). Here you can start a
one-time process to migrate existing control review decisions from the two-level to the five-level system.
 Tip
If your site has both this parameter and the parameter Require issues for ineffective risk control decisions
(Application.SR.Engagement.RequireIssueForIneffectiveControlDecision) set to Yes, the issue
requirement applies to controls being marked Completely ineffective.
When this parameter is set to No, decision makers have two effectiveness decision choices for a control or service:
• Effective
• Ineffective
workspace.
 Note
Related Information

Hide names of empty questionnaire sections

Specifies whether the names of sections that do not contain any content show in the questionnaires defined in the
engagement risk assessment project template, including engagement request questionnaires.
ID Application.SR.Engagement.HideEmptySectionHeader
Name Hide names of empty questionnaire sections
Default value No
Setting this parameter to Yes hides the names of any sections in questionnaires defined by survey documents
in the control-based engagement risk assessment project template that do not contain content. In some cases,
visibility conditions or engagement attribute mappings can result in questionnaires with empty sections because
their content is hidden due to visibility conditions or engagement attribute mappings. If your control-based
engagement risk assessment project setup results in this situation, you can use this parameter to hide the section
names as well.
 Note

workspace.
Related Information

Import risk assessment data for engagement requests
Adds the ability to map a data source to a modular questionnaire used as an assessment for engagement requests.
Responses to the risk assessment questionnaire are imported from the data source.
ID Application.SR.Engagement.RiskAssessmentDataImport
Name Import risk assessment data for engagement requests
Default value No
Yes Enables the settings needed to set up the import, in the modu-
lar questionnaire template. Once setup is complete, the send
assessments task does not send the assessments configured
to import responses to the supplier; instead, responses for
those assessments are imported.
No Assessment responses are not imported.
 Note
workspace.
Related Information

Ability to select SAP business network as the data source for assessment responses [page 343]
Business Network

Import risk assessment responses from external systems
Adds the ability to map an external data source from which to import responses to modular questionnaires used as
assessments for engagement requests. This feature also requires enabling the parameter Import risk assessment
data for engagement requests (Application.SR.Engagement.RiskAssessmentDataImport).
ID Application.SR.Engagement.ExternalRiskAssessmentDataImport
Name Import risk assessment responses from external systems
Default value No
Yes Enables the settings needed to set up the import, in the modu-
lar questionnaire template. Once setup is complete, the send
assessments task does not send the assessments configured
to import responses to the supplier; instead, responses for
those assessments are imported.
No Assessment responses are not imported.
 Note
workspace.
Related Information

Setting Up a Modular Questionnaire to Import Supplier Responses from an External System
Include engagement context in assessment notifications

Enables display of engagement context in notifications to internal or external users concerning assessments. This
feature requires adding the engagement context token to your customized notification content.
ID Application.SR.Engagement.DisplayEngagementContextInAssessmentEmail
Name Include engagement context in assessment notifications
Default value No
When this parameter is set to Yes, the [ENGAGEMENT_CONTEXT] token is available when customizing specific
email templates concerning modular questionnaires serving as internal or external risk assessments.

After you customize a questionnaire email with the [ENGAGEMENT_CONTEXT] token, the resulting email
notification replaces the token with a table listing active engagements for which that questionnaire is required.
If the modular questionnaire is used in the context of a qualification project, for example, the token does not insert
content into the email. The table does not list draft, canceled, or archived engagements.
 Example
When the supplier or internal recipient receives the notification, the [ENGAGEMENT_CONTEXT] token is
replaced with an introductory sentence and a table of engagement information like:
Table 6: This questionnaire is part of the following engagements:

Engagement
ID name Commodity Region Department Project owner
WS12345678 ABC - software Data base report- USA All Alice Bailey
2021 USA ing software
WS23456789 ABC - software Data base report- Brazil All Bertram Collis
2021 Brazil ing software
One risk control may be required for multiple engagements for the same supplier. If the control is relevant to
multiple engagements for this supplier, the table lists multiple rows of engagement information.
• For internal recipients, the Engagement name is a link.

• For supplier recipients, the Project owner column is not included.
 Tip
Best practices:
• Include the token but no additional introductory text in your customized email. The email notifications for
which the [ENGAGEMENT_CONTEXT] is available may be issued for situations relevant or not relevant to
an engagement. For example, in some instances a modular questionnaire might relate to a qualification
project. In this case engagement information is not shown in the notification email. If you have
additional introductory text, in this situation when [ENGAGEMENT_CONTEXT] material is not included, your
qualification project email would then show the extra introductory text by itself.
• [ENGAGEMENT_CONTEXT] is supported in the email body. It is not supported for the subject line, as a table
cannot be inserted there.
 Note
workspace.
Related Information


Manage user interactions during send assessments
processing
Enables changes in managing the engagement while processing the Send Assessments task. The user interface
provides feedback in the case of an error, with the ability for an authorized user to retry the action.
ID Application.SR.Engagement.SendAssessmentsProcessingBehavior
Name Manage user interactions during send assessments processing
Default value Yes
Yes When you start sending assessments, the engagement

page shows a badge with the notation Processing Send
Assessments task. When the processing is complete, a ban-
ner message displays at the top of the page.
If there is an error during this processing, error information

is saved in the database and a failure message displays. You
can review error information by running the Engagement
processing error report [page 274] .
No This visual feedback is not provided.
 Note
about these projects, see Setting up SAP Ariba Supplier Risk.
workspace.
Related Information


Manage user interactions during update processing
Enables changes to clarify for users the current state of an engagement while the system is processing updates
related to task management or submission of a new or edited request.
ID Application.SR.Engagement.UpdateProcessingBehavior
Name Manage user interactions during update processing
Default value Yes
Yes When you submit a new or edited engagement, the engage-

ment page shows a badge with the notation Processing
Changes. When the processing is complete, a banner message
displays at the top of the page.
If there is an error during this processing, error information

is saved in the database and a failure message displays. You
can review error information by running the Engagement
processing error report [page 274] .
No This visual feedback is not provided.
 Note
workspace.
Related Information

Enable asynchronous processing of business details and the inherent risk screening questionnaire [page 367]

Process engagement request questionnaires in the
background
Specifies whether or not the business details and inherent risk screening questionnaires in control-based
engagement risk assessment projects use a background process for submission. While the background process is
in progress, the requester can continue with the next step of the request but cannot proceed further.
ID Application.SR.Engagement.Async.SubmitQuestionnaire
Name Process engagement request questionnaires in the background
Default value No
By default, when a requester submits either the business details or inherent risk screening questionnaire in the
engagement request by clicking Next, the questionnaire is processed immediately and the requester cannot
navigate to the next step of the request until the processing is complete. Setting this parameter to Yes can mitigate
performance problems with submission of those questionnaires. When it is enabled, once the requester submits
the current questionnaire by clicking Next, the next step of the engagement request opens immediately while the
current questionnaire submission processes in the background. The navigation buttons on that next step do not
show until the questionnaire submission is complete.
 Note
workspace.
Related Information

Process supplemental engagement questionnaires in the

background
Specifies whether or not supplemental engagement questionnaires in control-based engagement risk assessment
projects use a background process for submission. The next task in the workflow does not start until submission is
complete.
ID Application.SR.Engagement.Async.SubmitSecondaryDoc
Name Process supplemental engagement questionnaires in the background
Default value No

By default, when the owner of the To Do task that enables editing a supplemental engagement questionnaire
submits the questionnaire, the questionnaire is processed immediately and the engagement page does not reopen
until processing is complete. Setting this parameter to Yes can mitigate performance problems with submission of
these questionnaires. When it is enabled, once the owner of the To Do task has submitted the questionnaire, the
engagement page opens immediately while the questionnaire submission processes in the background. The To Do
task is not actionable while the submission is processing, but it does not show on the Completed tasks tab, and
any approval task for which it is predecessor does not start, until the submission is complete.
 Note
workspace.
Related Information

Remove country/region risk as a risk exposure contributing

factor
Removes country/region risk as a contributing factor to the risk exposure for your suppliers.
ID Application.SR.Risk.RemoveCountryRegionRisk
Name Remove country/region risk as a risk exposure contributing factor
Default value No
Setting this parameter to Yes removes country/region risk from the risk exposure. The country/region risk data
from default provider World Economic Forum (WEF) isn't used as a contributing factor in the supplier's risk
exposure. The links to the annual Global Risks Report from WEF are still available in the supplier 360° profile.
If you set this parameter to Yes, you can't revert it back to No.
 Note
The country/region risk information currently used as a contributing factor to risk exposure is no longer being
produced by the provider. The World Economic Forum (WEF) has paused the Global Competitiveness Index
that is used by SAP Ariba Supplier Risk to calculate the country/region risk exposure. Refer to the various WEF
reports in the supplier 360° Enriched corporate info tab for the change policy beginning in 2020 due to the
pandemic.
You can choose to enable this feature and use custom fields to bring country/region risk data from a provider of
your choice to contribute to the risk exposure.

If you enable this parameter, you must create a new draft version in the configuration editor, and activate it, to
remove the existing country/region risk settings and update the risk exposure for your active suppliers.
When you set this parameter to Yes, you enable the following user interface changes:
• The interactive map on the dashboard has the following changes:

• Unknown is added to the list of dropdown choices for filtering by risk level. Insignificant and Not available
are removed.
• The number of your active suppliers in each country/region is shown instead of the country/region risk
levels.
• The Country/Region score (WEF) column in the list of suppliers under the map is removed.
• The Country/Region score (WEF) column is removed from the Microsoft Excel you can export using the
 Export icon above the map.
• The supplier 360° profile has the following changes:

• Labor compliance is removed from the Environmental & social area on the Risk exposure tab.
• Country/Region profile information is removed from the export on the Risk exposure tab. The links to the
reports provided annually by the World Economic Forum (WEF) are still there.
• Labor compliance is removed from the Environmental & social contributing factors section in the
supplier's risk profile PDF you can export using the Export risk profile link.
• Country/Region profile information on the Enriched corporate info tab is removed. The links to the
reports provided annually by the World Economic Forum (WEF) are still there.
When you set this parameter to Yes, you enable the following administrator interface changes in Configure risk
exposure on the Supplier risk administration page:
• Country/Region risk is removed from the Data sources tab.

• The country/region risk score is removed as a Field in the Standard fields area of the Field configurations tab.
workspace.

Related Information
Remove obsolete issues
Removes issues that have become obsolete because changes to an engagement have removed the only controls
with which they are associated. Enabling this parameter removes these obsolete issues from the Issues tile and
stops related email notifications.
ID Application.SR.Engagement.DeleteAbandonedIssuesOfRemovedControl
Name Remove obsolete issues
Default value No
Yes Issues that have become obsolete are removed from the con-
trols with which they are associated. This removes them from
the Issues tile and stops related email notifications.
When an engagement-level risk control is removed from an

engagement, any issues associated with it are removed. If the
edit, change request, or review is later reverted, or changed in
such a way as to add the control back to the engagement, the
issues are reinstated on the control.
When a shared (vendor- or service-level) control is removed

from an engagement:
• If the control is still required for at least one other engage-

ment, the control's issues remain associated with it.
• If this was the only engagement for which the control was
required, any issues associated with it are removed. They
are reinstated if the control is later added back to the
same engagement or a different one.
No Control-related issues show in the Issues tile, and notifications

are still sent, after any relevant controls have been removed..
 Note
workspace.

Related Information

Reopen all initial approval phase tasks for insignificant

changes requiring approval
Determines which set of tasks in the initial approval phase of an engagement request or change request open in
response to an insignificant change requiring approval. If Yes, all tasks open. If No, only the approval task for the
inherent risk screening questionnaire opens.
ID Application.SR.Engagement.ReopenAllInitialApprovalPhaseTasksForInsignifi
cantChangesRequiringApproval
Name Reopen all initial approval phase tasks for insignificant changes requiring approval
Default value Yes
This parameter is relevant in sites using control-based engagement risk assessment projects, where at least one of
the following is enabled:
• Advanced engagement editing and canceling

• Change request processing
Submitting an advanced engagement edit, change request, or change request edit triggers approval results based
on the types of changes made. When there are no Significant changes but at least one change is Insignificant
requiring approval, the initial approval phase for the engagement request or change request is activated. This
parameter governs which tasks open within that phase.
Parameter value Behavior
Yes (default) Open all tasks in the initial approval phase
No Open only the approval task for the inherent risk screening
questionnaire in the initial approval phase
 Note
workspace.
Related Information


Reopen post project approval phase with engagement
review
Determines whether the post project approval phase reopens when a user starts a review for an engagement.
ID Application.SR.Engagement.ReopenPostProjectApprovalPhaseWithEngagementRe
view
Name Reopen post project approval phase with engagement review
Default value No
This parameter determines whether the Post Project Approval phase reopens when a user starts a periodic review
for an engagement.
• If post project approval is started in response to a periodic review that is later skipped, the post project
approval phase remains open.
• The post project approval phase can be canceled even though the review is in progress.
 Note
workspace.
Related Information

Require issue completion for final engagement project

approval
Specifies whether or not control-based engagement risk assessment projects require completion of all associated
issues before approvers can finally approver the project.
Full name Application.SR.Engagement.RequireIssueCompletionForProjectApproval
Name Require issue completion for final engagement project approval
Default value No
The default value, No, means that approvers for engagement projects with incomplete issues see a warning popup
but are able to complete project approvals. Enabling this parameter blocks approvers from approving or denying
engagement risk assessment projects with at least one associated engagement- or control-level issue in a status
other than Resolved. The block applies to all approval tasks in the Project Approval phase.

 Note
In sites configured to use findings rather than issues (see Allow users to create general and engagement-
related findings [page 349]), this feature requires that all issues and all findings be completed before an
engagement can receive final approval.
 Note
workspace.
Related Information

Require issues for ineffective risk control decisions
Specifies whether or not control decision makers can mark controls that do not have any issues ineffective in
engagement risk assessment projects.
ID Application.SR.Engagement.RequireIssueForIneffectiveControlDecision
Name Require issues for ineffective risk control decisions
Default value No
Control-level issues can capture the process used to reach ineffective decisions for a control, and are available in
other engagement risk assessment projects that use the control and where control decision makers might need
to reevaluate the control decision. When the optional issue check feature is enabled in a site, it checks for related
issues every time a control decision maker marks a control as ineffective. When this feature is enabled, the settings
for this parameter specify the following behavior when a control decision maker marks a control as ineffective and
is has no related issues::
• The default setting, No, results in a popup that asks the decision maker if they want to create an issue and
provides navigation for doing so, but issue creation is optional. The decision maker can cancel out of the popup
and finish marking the control as ineffective..
• Setting this parameter to Yes results in a popup that informs the decision maker that an issue is required and
provides navigation for creating one. The decision maker cannot mark the control as ineffective until there is at
least one issue associated with the control.
In sites configured for expanded levels of risk control effectiveness, the issue requirement applies to controls or
services being marked Completely ineffective.

 Note
related findings [page 349]), this feature requires either an issue or a finding in order to mark a control as
ineffective.
 Note
workspace.
Related Information

Require only attachment and expiration date for supplier

certificates
Specifies that Attachment and Expiration Date are the only two required fields for answers to certificate questions
in external supplier management questionnaires. Otherwise, all certificate fields are required.
ID Application.SM.RequireCertificateAttachmentAndExpirationOnly
Name Require only attachment and expiration date for supplier certificates
Default value False
The default value of False means that all the certificate fields are mandatory and the supplier must enter values
in all the fields. The certificate detail fields are required if a supplier answers Yes to a certificate question. The
certificate detail fields are not required if a supplier answers No to a certificate question.
Setting this parameter to True makes only the Expiration Date and Attachment fields mandatory, which means
that the supplier only needs to enter an expiration date and attach a document to proceed.
 Note
This parameter applies to external supplier management questionnaires.
workspace.

Related Information

Require only basic approval for engagement projects with no

controls
Specifies if a control-based engagement risk assessment project with no controls uses the basic approval workflow.
If no controls are required, completing the Request Approval phase completes the engagement. By default,
engagements with no controls require the full engagement risk assessment project workflow through final project
approval.
ID Application.SR.Engagement.RequireOnlyBasicDueDiligenceWhenNoControls
Name Require only basic approval for engagement projects with no controls
Default value No
This parameter adds a mechanism for using business details to automatically identify engagements that don't
require risk controls and therefore only require a basic approval workflow.
When the optional basic approval workflow is enabled in a site, this parameter determines if the engagement
request goes through the basic approval or the full engagement risk assessment project workflow. Basic approval
includes only the step for the Request Approval phase, bypassing the send assessments, evidence collection,
control review, and final project approval steps, to streamline the workflow for these engagements.
The basic approval workflow starts with an engagement request that has no controls. The engagement request is
flagged in the system to use the basic approval workflow, which requires only the Request Approval phase. After
completing the Request Approval phase, the engagement request moves immediately to Completed status.
If you use the basic approval workflow, only Copy and Archive are available in the Action menu on the engagement
page after the engagement reaches completed status. Any other template configured post-project approval tasks
aren't available for basic approval engagements.
For information about risk controls, see Supplier Risk Data Import.
When this feature is enabled, the settings for this parameter specify the following behavior:
• If you use the default setting, No, engagement projects with no risk controls follow the full engagement risk
assessment project workflow but the send assessment task automatically completes. Assessments aren't
required if an engagement has no controls.
• If you set this parameter to Yes, engagement projects with no risk controls follow the basic approval workflow
and move to Completed status after the request approval task for the engagement request is approved.
 Note
workspace.

Related Information

Restrict editing of residual risk ratings based on engagement

issues
Specifies whether editing of engagement residual risk ratings is only allowed when the engagement has at least two
issues with different ratings.
ID Application.SR.Engagement.EnableIssueBasedRestrictionsOnResidualRiskSele
ction
Name Restrict editing of residual risk ratings based on engagement issues
Default value Yes
Residual risk ratings for engagement risk assessment projects are numbers between 1 and 5. The original residual
risk rating for an engagement project is based on the highest residual risk rating of the issues associated with the
engagement. Residual risk ratings for issues are, in turn, based on issue severity and probability.
If Yes: Users with the appropriate permissions can edit the residual risk rating for an engagement only if the
engagement has at least two associated issues with different residual risk ratings.
If No: Editing the residual risk rating is not restricted in this way. Users with appropriate permissions can edit the
residual risk rating if the engagement has fewer than two issues, for example, or if it has two or more issues with the
same rating.
workspace.
 Note
 Note
This parameter is not relevant in sites configured to calculate residual risk by risk domain. In these sites,
residual risk values are automatically updated based on the issues or effectiveness levels for controls.
 Note
related findings [page 349]), and domain based residual risk not enabled, this parameter allows editing of
residual risk ratings when there are at least two issues or findings with different ratings.

Related Information

Restrict engagement project visibility by role
Restricts who can view control-based engagement risk assessment projects by global user group membership and
project group membership.
ID Application.SR.Engagement.EngagementVisibilityFilterByRole
Name Restrict engagement project visibility by role
Default value Yes
The default setting of this parameter, Yes, restricts the permission of members of engagement-related global user
groups to view engagement risk assessment projects as follows:
• Users in the Supplier Risk Engagement Requestor global user group can only see those engagement risk
assessment projects for which they are a member of the Project Owner project group.
• Users in the Supplier Risk Engagement Expert global user group can only see those engagement risk
assessment projects in which they are either members of the Project Owner project group or control decision
makers.
• Users in the Supplier Risk Engagement Governance Analyst group can see all engagement risk assessment
projects.
If you set this parameter to No, the permissions instead work as follows:
• Users in the Supplier Risk Engagement Requestor global user group can only see those engagement risk
assessment projects for which they are the requestor or a member of the Project Owner project group.
• Users in the Supplier Risk Engagement Expert or Supplier Risk Engagement Governance Analyst group can
see all engagement risk assessment projects.
 Note
workspace.
Related Information


Restrict issue project visibility by role
Restricts who can view issue management projects by global user group membership and project group
membership.
ID Application.SR.IssueManagement.IssueVisibilityFilterByRole
Name Restrict issue project visibility by role
Default value Yes
The default setting of this parameter, Yes, restricts the permission of members of engagement-related global user
groups to view issue management projects as follows:
• Users in the Supplier Risk Engagement Requestor global user group can only see those issues for which they
are a member of the Project Owner project group.
• Users in the Supplier Risk Engagement Expert global user group can only see those issues in which they are
either members of the Project Owner project group or assignees.
• Users in the Supplier Risk Engagement Governance Analyst group can see all issue management projects.
 Note
workspace.
Related Information

Reuse respondent answers when resending assessments

When resending an assessment, determines whether to include the respondent's previous answers (Yes) or send a
blank questionnaire (No).
ID Application.SR.Engagement.ReuseAnswersWhenResendingAssessments
Name Reuse respondent answers when resending assessments
Default value No
This parameter determines behavior when a decision maker chooses to resend assessments as part of reopening a
control review.
If the value is Yes, the questionnaire includes the supplier's prior answers, which they can edit and then resubmit
the assessment.

If the value is No, the supplier receives a blank questionnaire. In this case, if the questionnaire has undergone
template upgrade, the post-upgrade version of the questionnaire is sent.
workspace.
 Note
Related Information

Set batch size for creating assessment questionnaires
Specifies the number of modular questionnaire projects the system creates in each batch when assessments are
sent in engagement risk assessment projects. The system creates new batches of assessment questionnaires at
intervals. You can specify a value between 1 and 100.
ID Application.SR.Engagement.CreateQuestionnaireBatchSize
Name Set batch size for creating assessment questionnaires
Default value 20
Sending assessments in a control-based engagement risk assessment project involves the creation of a new
modular supplier management questionnaire project for every assessment required by the engagement that was
not already completed in another engagement risk assessment project. If your engagement risk assessment
process requires a large number of assessments for each engagement project, there can be some delay between
when assessments are sent and when the assessment modular questionnaire projects are created as the system
generates batches of them at internals. Setting this parameter to a number higher than the default value can help
speed this process by using larger batches.
 Note
workspace.

Related Information

Show only registered suppliers in engagement projects

Filters suppliers to show only those with approved registration projects during the supplier selection step in
ID Application.SR.Engagement.ShowRegisteredSuppliersOnly
Name Show only registered suppliers in engagement projects
Default value No
By default, the supplier selection step of the engagement request in control-based engagement risk assessment
projects shows all suppliers in your site. Setting this parameter to Yes means that only suppliers with a Registered
registration status show in this step. This filter steers requesters toward selecting suppliers for whom you have
already collected information and performed basic due diligence.
Only set this parameter to Yes if your site uses supplier registration projects. Suppliers can only achieve a
Registered registration status through an approved registration project. Registration projects are only available
in solutions that include SAP Ariba Supplier Lifecycle and Performance or SAP Ariba Supplier Information
and Performance Management (new architecture), where the registration project template must be set up and
published. There is no other way to set registration status for a supplier.
 Note
workspace.
Related Information


Treat control removal as a significant change
Determines the workflow required when removing a control from a control-based engagement risk assessment
project during an edit or change request. If Yes, trigger the full workflow for a significant change. If No, use the
workflow for an insignificant change requiring approval.
ID Application.SR.Engagement.TreatControlRemovalAsSignificant
Name Treat control removal as a significant change
Default value Yes
This parameter is relevant in sites using control-based engagement risk assessment projects, in which at least one
of the following parameters is enabled:

(Application.SR.Engagement.AllowAdvancedEditCancel)
• If change requests are enabled, the parameter Enable editing of in-progress change requests
(Application.SR.Engagement.AllowChangeRequestEdit) determines whether an authorized user
can edit a submitted change request. If so, the parameter Treat control removal as a significant change
(Application.SR.Engagement.TreatControlRemovalAsSignificant) influences the behavior of
that feature as well.
The value of this parameter determines how control removal is treated within the context of advanced edit of
an engagement request, a change request for a completed engagement, or an edit to a change request. In any
of these actions, an authorized user might change business details or responses to the inherent risk screening
questions such that a control, required for the previous version of the engagement or the change request, is no
longer needed.
Parameter value Behavior
Yes (default) Control removal activates both initial and final approval phases
for the engagement or change request.
No Control removal activates only the initial approval phase for the
engagement or change request.
 Remember
If control removal is treated as Insignificant requiring
approval, the parameter Reopen all initial approval phase
tasks for insignificant changes requiring approval
(Application.SR.Engagement.ReopenAllIni
tialApprovalPhaseTasksForInsignificantC
hangesRequiringApproval) determines which
tasks open within the initial approval phase.
workspace.

Related Information

Use custom logo and footer for emails sent to suppliers

Allows you to specify a custom logo and footer for emails sent to suppliers.
When this parameter is set to Yes, the Custom Email tab appears in Ariba Administrator under Customization
Manager Branding Settings . In addition to the SAP Ariba logo and footer, the custom logo and footer that you
set in this tab appear in emails. When this parameter is set to No, only the SAP Ariba logo and footer appear in
emails.
ID Application.EnableCustomEmailLogoAndFooter
Name Use custom logo and footer for emails sent to suppliers
Default value No
You must be a member of the Customer Administrator or Event Administrator group to customize the invitations
sent to suppliers.
To include your company's logo in registration questionnaire invitations, the parameter

Application.EnableCustomEmailLogoAndFooter must be enabled in your site. In addition, one of your
company's customer administrators must upload the logo on the Custom Email tab. See Common Data Import
and Administration Guide for SAP Ariba Strategic Sourcing Solutions and SAP Ariba Supplier Management
Solutions for details.
workspace.
Related Information
How to customize messages to buyers and suppliers


Self-Service Site Configuration Parameters in SM
Administration
Some of the functionality for supplier management is controlled by self-service configuration parameters in the
SM Administration Configuration Parameters workspace, which members of the Customer Administrator
and SM Ops Administrator groups can set.
These parameters apply to supplier management in SAP Ariba Supplier Lifecycle and Performance and SAP Ariba
Supplier Information and Performance Management (new architecture).
Reference of Configuration Parameters in SM

Administration
Some of the functionality for supplier management is controlled by configuration parameters in SM

Administration Configuration Parameters .
In guided buying sites, the navigation path is Manage SM Admin Configuration Parameters .
For more information on how to modify the settings of these parameters, refer to Managing Configuration
Parameters in SM Administration [page 430].
Table 7:
Parameter category Parameter name Default setting Description
Integration Application.SM.BusinessPart False This parameter ensures that

ner.EnableChangeOrdinal the
changeOrdinalNumberV
alue in integration messages
sent an integrated MDG-S sys-
tem includes automatically
generated, sequential values
for each supplier. It's disabled
by default. If your SAP MDG-S
system configuration requires
these values to generate
change requests, enable this
parameter in your site.

Integration Application.SM.BusinessPart False By default, the

ner.EnableDUNSIdnSync
vendor.vendorInfo.du
nsId field stores D-U-N-S
numbers in the
nsId field, and it isn’t map-
ped to any elements in inte-
gration messages sent to an
integrated ERP system. Ena-
bling this parameter synchro-
nizes
nsId values to business part-
ner identification segments in
integration messages and sets
a party identification type
code of BUP001 for them.
Integration Application.SM.BusinessPart False Includes the

ner.EnableBup007Sync
vendor.vendorInfo.an
Id value in integration mes-
sages to the ERP system and
automatically sets the
PartyIdentifierTypeC
ode to BUP007.

Integration Application.SM.Vendor.Sync False Automatically includes the

AcmIdToERP
ACM ID for a supplier created
through ERP synchronization
or data import with the next
update to the ERP system af-
ter the ACM ID is set. Since
ACM ID generation occurs af-
ter the new supplier is cre-
ated, the initial outbound mes-
sage to the ERP system typi-
cally doesn't include this ID,
and it's not otherwise included
in updates.
 Note
To set the ACM ID for sup-
pliers, your site must use
custom fields to store
ACM IDs through an im-
ported default properties
configuration where a ge-
neric custom field such as
vendor.supplierGe
nericCustomField.
ZS4ID is set to $
(vendor.vendorInf
o.s4OrgSystemId).
The integrated ERP sys-
tem must have a custom
implementation for the
corresponding custom
field. This parameter only
sends the ACM ID to the
integrated ERP system if
these configurations are
in place.

Questionnaires Application.SM.Vendor.Enha True By default, answers in

Tax ncedTaxInfo
the country/region field of
Address or Extended Address
questions in supplier requests
or registration questionnaires
don't affect the extended tax
country/region codes associ-
ated with supplier tax IDs.
This behavior is designed for
sites that collect supplier tax
information using Tax ques-
tions. Tax questions include a
required country/region field
that sets the extended tax
country/region code for the
tax ID specified in the answer.
The default setting of this
parameter ensures that this
extended tax country/region
code isn't overwritten by the
country/region in an Address
or Extended Address answer.
In sites that collect supplier

tax information using individ-
ual tax ID questions mapped
to tax ID fields such as
vendor.taxInfo.taxNu
mber1 rather than Tax ques-
tions, SAP Ariba recommends
disabling this parameter so
that the extended tax coun-
try/region code for tax IDs col-
lected in individual questions
is automatically set by the
country/region field in
Address or Extended Address
questions in the supplier re-
quest or a registration ques-
tionnaire.

Feature enablement Application.SM.InternalRegis True Specifies whether internal

trationEnabled
supplier registrations, where
buyers complete registrations
on behalf of suppliers with-
out supplier involvement, are
available in a site. By default,
this parameter is set to True
and internal registrations are
available. You can set this pa-
rameter to enable or disable
this functionality in your site.
 Note
Along with the con-
figuration parameter,
you must also enable
the Enable internal
supplier registrations pa-
rameter in Integration
Configuration Manager
to ensure the functionality
in available in your site.
 Caution
If you want to disa-
ble internal registra-
tions, SAP Ariba rec-
ommends doing so
before any internal
registrations are cre-
ated in your site.
Disabling the feature
prevents completion
of any internal regis-
tration projects that
are in progress and
removes the mecha-
nism for inviting sup-
pliers to participate
in completed internal
registrations.

User or administrator inter- Application.SM.Registration. False Enabling this feature allows

face DisplaySetRegisteredOption you to manually set a suppli-
er's status to Registered us-
ing the Set Registered option
in the Registration area of the
supplier's 360° profile.
The system immediately sets

the status of the supplier to
Registered. In addition, the
system synchronizes supplier
data with your ERP systems
automatically or with man-
ual intervention depending on
how your site is configured.
This data then becomes avail-
able for supplier qualifications
or for use in other SAP Ariba
procurement applications.
Search Application.SM.Vendor.Psoft This parameter specifies a

VariantIds comma-separated list of realm
IDs for any procurement sites
in your SAP Ariba configura-
tion that use PeopleSoft var-
iant. This setting enables pro-
curement sites with the Peo-
pleSoft variant to use sup-
plier data such addresses
and qualified or preferred sta-
tuses, and is required for
those sites.
Questionnaires Application.SM.SupplierReq True Restricts the ability to edit

uest.RestrictRequestEdit supplier requests that are in
approval to the project owner
(the person who created the
supplier request) and the cur-
rently active approvers who
are also members of the
Supplier Request Manager
group. If disabled, all mem-
bers of the Supplier Request
Manager group can edit sup-
plier requests that are in ap-
proval.

Questionnaires Application.SM.PropagateMa False Automatically prepopulates

trixDimensionToProcessQual intake forms for a supplier's
ification process qualifications with the
commodities, regions, and de-
partments from their supplier
request or registration. If the
supplier has both a request
and registration with this data,
the registration data is used.
Feature enablement Application.SM.MQ.EnableSt False This parameter enables en-

Questionnaires andaloneMQEnhancement
hanced filtering and pagina-
tion in the workflow for send-
ing standalone modular ques-
tionnaires.
 Note
Enabling or disabling this
parameter requires a cor-
responding change to
the Enable enhanced fil-
tering and pagination for
standalone modular ques-
tionnaires [page 374] pa-
rameter in Intelligent
Configuration Manager.
Always enable or disable
both parameters together.
Search Application.SM.Vendor.Defau en The default locale for query-

ltRealmLocale ing master data in your site.
If the locale isn't provided the
default value is used.

Questionnaires Application.SM.Vendor.Enabl True Enables or disables the mask-

Tax eDefaultTaxMasking ing of some information col-
lected in Tax questions in the
portions of the user interface
on the Supplier Management
dashboard, such as supplier
360° profiles and question-
naire details. Country/region
and tax ID fields in Tax ques-
tions are encrypted in the
database, and when this pa-
rameter is enabled, data in
encrypted tax fields is also
masked in those areas of
the user interface. It's never
masked in other areas of the
user interface, such as project
advanced view and the sup-
plier view on SAP Business
Network. You can make tax
data display consistent in all
areas of the user interface by
disabling this parameter.
Feature enablement Application.SM.Process.Ena False Enables or disables the mod-

bleModularProcessFramewor ular process framework for
k qualification and other lifecy-
cle processes, which includes
process projects and associ-
ated functionality.
 Note
responding change to the
Enable modular process
framework parameter in
Intelligent Configuration
Manager. Always enable
or disable both parame-
ters together.

Feature enablement Application.SM.MQ.EnableIn False Enables or disables support

ternalFormsinModularQuesti for additional internal forms
onnaires with To Do and approval
tasks in modular question-
naire projects.
 Note
responding change to the
Enable internal forms in
modular questionnaires
[page 377] parameter in
ters together.
Integration Application.SM.ERP.Preferre N/A Specifies a default preferred

dTelephoneUsage
usage code to set for any tel-
ephone number that doesn't
have a usage code or, if the
supplier doesn't have a tele-
phone number, for the first
mobile number if available.
The default preferred usage

code in SAP MDG systems is
AD_DEFAULT.
Integration Application.SM.ERP.Telephon N/A Specifies a default usage code

eUsageDefault
to set for any telephone num-
ber that doesn't have a usage
code.
The default telephone number

usage code in SAP MDG sys-
tems is AD_NMBDEFA.
Integration Application.SM.ERP.MobileU N/A Specifies a default usage code

sageDefault
to set for any mobile num-
ber that doesn't have a usage
code.
The default mobile number

usage code in SAP MDG sys-
tems is AD_MBDEFAU.

Integration Application.SM.ERP.Address XXDEFAULT Specifies a default usage code

UsageDefault
to set for the first address if no
addresses have a usage code.
Integration Application.SM.ERP.ErpIdMis False If enabled, identifies mis-

matchEnabled
matches between the sender
business system ID in inbound
integration messages and the
ERP business system ID con-
figured in integration settings.
Integration Application.SM.ERP.Business True Adds leading zeros to partner

PartnerIdConversionEnabled
function bpids in outbound in-
tegration messages. Disable
this parameter if your inte-
grated ERP system sends
partner function bpids without
leading zeros to prevent a mis-
match.
 Caution
Only disable this parame-
ter together with the Use
Internal Format for ERP
Vendor Id feature, which
also adds leading zeros to
outbound ERP vendor IDs.
This feature must be dis-
abled by SAP Ariba Sup-
port.
Integration Application.SM.MasterData. N/A Specifies an ERP business

MmSysId
system ID to replace
the ERP Business system
ID configured in SM
Administration integration
settings in ERP search calls
for material master data. If
left blank, the ERP Business
system ID in integration set-
tings is also used for material
master data search.

Integration Application.SM.MDI.MdiEnab False Enables supplier data inte-

led
grating with SAP S/4HANA
Cloud using SAP Master Data
Integration (MDI).
This parameter is only avail-

able when the support for
supplier data integration with
SAP S/4HANA Cloud feature
(SM-30016) is enabled in your
site. For details on this feature,
including prerequisites and re-
strictions, refer to About Sup-
plier Data Integration with
SAP S/4HANA Cloud Using
SAP Master Data Integration.
Integration Application.SM.MDI.MdiPrim Specifies the business system

aryBpId
ID of the integrated SAP S/
4HANA Cloud system.
This parameter is only avail-

able when the support for
supplier data integration with
SAP S/4HANA Cloud feature
(SM-30016) is enabled in your
site.
Business partner key mapping Application.SM.BPKM.KeyM False Enables automatic creation of

appingEnabled
partitioned suppliers for each
of the child sites defined in the
child site mapping rules data
import when your site receives
a business partner key map-
ping request.
Enabling this parameter

shows other key mapping pa-
rameters.
If your site uses the par-

titioned supplier feature
(SM-30017), only enable this
parameter if SAP Ariba Pro-
curement solutions site has a
multi-ERP configuration with a
child site.

Business partner key mapping Application.SM.BPKM.KeyM 147 Specifies the type code for
appingTypeCodeForBP
business partners in your site.
This type code is used during
business partner key mapping
synchronization from an inte-
grated ERP system.
This parameter is only visible

when
Application.SM.BPKM.KeyM
appingEnabled is enabled.
Business partner key mapping Application.SM.BPKM.KeyM 888 Specifies the object schema
appingObjectSchemaCodeFo
code for business partners in
rBP
your site. This schema code
is used during business part-
ner key mapping synchroniza-
tion from an integrated ERP
system.

when
Business partner key mapping Application.SM.BPKM.KeyM 889 Specifies the UUID object
schema code for business
rBPUuid
partners in your site. This
code is used during business
partner key mapping synchro-
nization from an integrated
ERP system.

when
Business partner key mapping Application.SM.BPKM.KeyM 266 Specifies the type code for
appingTypeCodeForSup
suppliers in your site. This
type code is used during busi-
ness partner key mapping
synchronization from an inte-
grated ERP system.

when

Business partner key mapping Application.SM.BPKM.KeyM 892 Specifies the object schema
code for suppliers in your site.
rSup
This schema code is used dur-
ing business partner key map-
ping synchronization from an
integrated ERP system.

when

Partitioned suppliers Application.SM.P2P.VendorDif All Specifies the vendor differ-

ferentiationType
entiation type for suppliers,
which determines whether in-
bound suppliers replicated
from an SAP S/4HANA Cloud
system are created as com-
mon suppliers (main vendors),
remittance locations, or sup-
plier locations (ordering ad-
dresses) in SAP Ariba Pro-
curement solutions. Valid val-
ues are:
• PartnerFunction, to
set a supplier's vendor
type based on partner
function. Use
Application.SM.BPKM.M
ainVendorPartnerFuncti
onCodes,
Application.SM.BPKM.O
rderingPartnerFunction
Codes, and
Application.SM.BPKM.R
emittancePartnerFuncti
onCodes to specify the
partner function codes
that determine each ven-
dor type.
• All, to specify that all
suppliers are considered
main vendors (common
suppliers).
 Note
All is the default setting
for this parameter. To con-
vert inbound vendor ob-
jects to remittance loca-
tions or supplier locations
where appropriate instead
of creating common sup-
pliers for all of them, use
the PartnerFunction
setting and related pa-
rameters.

This parameter is only availa-

ble when the partitioned sup-
plier feature (SM-30017) is en-
abled in your site.
Partitioned suppliers Application.SM.P2P.Remitta RS Specifies a comma-separated

ncePartnerFunctionCodes
list of partner function codes
that determine whether a
business partner is a remit-
tance address (remittance lo-
cation). These codes are only
used if
Application.SM.P2P.VendorDif
ferentiationType is set to
PartnerFunction .

abled in your site.
Partitioned suppliers Application.SM.P2P.Ordering BA Specifies a comma-separated

PartnerFunctionCodes
that determine whether a
business partner is an order-
ing address (supplier loca-
tion). These codes are only
used if
PartnerFunction .

abled in your site.

Partitioned suppliers Application.SM.P2P.MainVen LF Specifies a comma-separated

dorPartnerFunctionCodes
that determine whether that a
supplier is a main vendor
(common supplier). These co-
des are only used if
PartnerFunction .

abled in your site.
Partitioned suppliers Application.SM.P2P.VendorL 0001,KRED Not currently used.

evelAccountingGroups
abled in your site.
Partitioned suppliers Application.SM.P2P.GoodsSu WL Not currently used.

pplierPartnerFunctionCodes
abled in your site.
Partitioned suppliers Application.SM.P2P.FactoryP ZF Not currently used.

artnerFunctionCodes
abled in your site.

Integration Application.SM.Vendor.Long False By default, the tax identifica-

Tax PartyTaxIDSupported
tion type code is included in
the PartyTaxID element of
integration messages received
from and sent to an integrated
ERP system.
If enabled, this parameter

ensures that the tax iden-
tification type code 5 or
greater than 5 is included
as the LONG_PartyTaxID
element in the
BusinessPartner seg-
ment of integration messages.
The LONG_PartyTaxID el-

ement supports a maximum
length of 60 characters.
Feature enablement Application.SM.Department False You can enable this parameter

Dimension
to enable business unit or de-
partment as third dimension
along with commodity and re-
gion in supplier management
projects such qualifications,
disqualification, and prefer-
red projects that are based
in commodity/region/depart-
ment combinations. When the
parameter is disabled, the
department data no longer
shows in the user interface.
Feature enablement Application.SM.RiskLevelSea False This parameter enables or dis-

rchFilter ables the Risk level search
filter on the supplier search
page, allowing you to search
for suppliers based on their
risk levels. This filter is only
available in sites that also in-
clude SAP Ariba Supplier Risk.
The default value of the pa-
rameter is False. You must en-
able this parameter to use the
Risk level filter in the supplier
search page.

Search Application.SM.GB.SearchPr False Uses ACM IDs rather than

eferredAndQualifiedByACMI
ERP vendor IDs in guided
d
buying searches for preferred
and qualified suppliers. Enable
this parameter if your SAP
Ariba Procurement solutions
site uses a multi-ERP configu-
ration so that search results
return the qualification and
preferred status for each sup-
plier across all child sites,
where the associated parti-
tioned suppliers can have dif-
ferent ERP vendor IDs. Use the
default setting, search by ERP
vendor ID, if your SAP Ariba
Procurement solutions site is
a single site with no multi-ERP
configuration.
 Note
This setting isn't applica-
ble in sites that include
SAP Ariba Supplier Lifecy-
cle and Performance and
SAP Ariba Supplier Infor-
mation and Performance
Management (new archi-
tecture) where the sup-
port for partitioned sup-
pliers feature (SM-30017)
is enabled. SM-30017
doesn't currently support
multi-ERP configurations.
It's only applicable in SAP
Ariba solution landscapes
where the supplier master
data used in guided buy-
ing is created and main-
tained directly in SAP
Ariba Procurement solu-
tions.

Feature enablement Application.SM.SMUIConditi False Enabling this parameter ena-

onEvaluation
bles or disables the changed
user experience for internal
questionnaires with visibility
conditions, which processes
conditions in the background
so that recipients can con-
tinue to edit the questionnaire
during that processing. This
parameter also improves the
way visibility conditions are
processed in internal ques-
tionnaires. Enable or disable
this parameter depending on
the performance of your inter-
nal questionnaires. You must
be a member of the SM Ops
Administrator group to set
this parameter.
 Note
Along with the configura-
tion parameter, you must
also enable the Enable
improved user experience
for internal questionnaires
with visibility conditions
parameter in Integration
Configuration Manager
to ensure the functionality
in available in your site.

Feature enablement Application.SM.RepeatableS False Enables or disables repeatable

Questionnaires ectionsInInternalQuestionnai
sections in internal question-
res
naires, including external reg-
istration questionnaires in in-
ternal registrations.
 Note
responding change to
the Enable repeatable
sections in internal ques-
tionnaires parameter in
ters together.
Feature enablement Application.SM.MQ.EnableRa False Enables or disables internal

Questionnaires tingandAggregationInInterna stakeholders of your organiza-
lForms tion to enter ratings in one
or more internal forms or
internal questionnaires of a
project. It also enables them
to view the final ratings. A final
rating is a simple aggregation
of all the individual ratings.
Questionnaires Application.SM.UI.EnableER False Shows country/region-spe-

PRegionDisplayInSimpleAdd cific ERP region codes, which
ress are mapped to the state co-
des (ANStateCode) used on
SAP Business Network, in the
State/Province/Region field
of Address questions in buyer-
facing questionnaires. By de-
fault, these codes are only
available in Extended Address
questions.

User or administrator inter- Application.SM.UI.SourcingS False This parameter enables the

face ummary
Sourcing Events panel in
the Summary area and the
Business activity area in the
supplier 360° profile. You
must enable this parameter to
show the supplier's sourcing
events in the Summary area
and view the sourcing events
list in the Business activity
area in the supplier 360° pro-
file.
User or administrator inter- Application.SM.UI.Contracts False This parameter enables the

face Summary
Contracts panel in the
Summary area and the
supplier 360° profile. You
must enable this parameter to
show the supplier's contracts
in the Summary area and
view the contracts list in the
supplier 360° profile.
Feature enablement Application.SM.Process.Allo True This parameter adds an op-

wStartOfProcessQualificatio tion for restricting the abil-
nForUnRegisteredSuppliers ity to create process qualifi-
cations for a supplier until
the supplier has a completed
registration. You can enable
or disable creation of proc-
ess qualifications for unregis-
tered suppliers. However, this
restriction does not apply to
miscellaneous processes.
• If the option is set to

True, the system allows
you to start process quali-
fications for unregistered
suppliers.
• If the option is set to
False, the system doesn't
allow you to start process
qualifications for unregis-
tered suppliers.

Integration Application.SM.SkipSettingI False By default, when supplier re-

ndustrySector quest Dun & Bradstreet
lookup doesn't return any in-
dustry classification code
data, the associated fields are
automatically populated with
a value of NA. When this pa-
rameter is enabled, the sys-
tem doesn't add any industry
sector data from D&B. There-
fore, industry sector data
added by the D&B lookup to
<sm:GenericCustomFie
ld> or
<IndustrySector> seg-
ments isn't included in out-
bound integration messages
and doesn't show in ERP data
in the supplier profile. This ex-
clusion prevents integration
errors when data in required
fields is missing. This parame-
ter is only applicable in sites
integrated with D&B.
Miscellaneous Application.SM.Purge.JobDel 1 Specifies the number of mi-

ayMinutes nutes between when a data
purge is initiated and the
scheduled task to carry out
purge actions for supplier and
supplier-related data starts,
with a minimum of 1 minute
and a maximum of 10 mi-
nutes. In some cases, increas-
ing the delay can address stal-
led or failed purges.
Feature enablement Application.SM.SendEmailN No When this parameter is ena-

otificationOnAddingSupplier
bled, an email notification is
Contacts
automatically sent to newly
added supplier contacts in-
forming them that their con-
tact details have been added
to the system.
A member of the Customer

Administrator group sets this
parameter in the Intelligent
Configuration Manager work-
space.

Integration Application.SM.UI.SourcingB False Enables display of status in-

User or administrator inter- PSyncUI
formation about the synchro-
face nization of inbound ERP busi-
Feature enablement
ness partners to sourcing,
including the resulting sup-
plier ACM ID, on the inte-
gration status page in SM
Administration.
Integration Application.SM.UI.BuyingBP False Enables display of information

User or administrator inter- SyncUI
about the status of inbound
face ERP business partners to buy-
Feature enablement
ing, including the supplier type
Partitioned suppliers
and synchronization status,
on the integration status page
in SM Administration.
 Note
This parameter is only ap-
plicable in sites where the
partitioned supplier data
feature (SM-30017) is en-
abled.

Integration Application.SM.Application.S False Increases maximum size of

Feature enablement M.Enable160CharacterSupp
the
ortForFullName
vendor.vendorInfo.fu
llname field from 140 to 160
characters, with correspond-
ing increase in maximum size
of
vendor.vendorInfo.na
me1 through
vendor.vendorInfo.na
me4 fields from 35 to 40 char-
acters each, in sites where the
supplier full name feature is
enabled.
 Caution
Make sure that your con-
figuration here matches
the length of name fields
in the integrated ERP sys-
tem. Mismatch between
maximum length of name
fields in SAP Ariba and
the integrated ERP sys-
tem can result in inconsis-
tencies or loss of data.
If the Apply Field Restrictions

validation tool is enabled on
pages for adding or editing
questions in project templates
in your site, that tool sets a
maximum length of 35 charac-
ters for individual name fields
and 140 for the full name field
by default. To increase these
settings to 40 and 160 charac-
ters, also enable the parame-
ter Increase maximum size for
name fields to 40 characters
each in applied field restric-
tions
(Application.SM.Enabl
e160CharacterSupport
ForFullName) in Intelligent
Configuration Manager.

Integration Application.SM.UserMatrixS False Enables basic authentication

erviceBasicAuthenticationEn
using username and password
abled
for integration messages re-
lated to user matrix data in in-
tegrations that use the polling
client. By default, the authen-
tication configured for integra-
tions that use SAP Integration
Suite, managed gateway for
spend management and SAP
Business Network, which is
certificate-based, is used.
Related Information
Enable internal supplier registrations

Managing Configuration Parameters in SM Administration [page 430]
Managing Configuration Parameters in SM Administration
The configuration parameters in SM Administration control some specific supplier management functionality.
Administrators can modify the values for these configuration parameters without having to raise a case with SAP
Ariba Support. Use this procedure to manage configuration parameters.
Prerequisites
To manage parameters in SM Administration, must be member of SM Ops Administrator group.
Context
You modify parameter values to enable or disable functionality controlled by the configuration parameters. For
more information about specific parameters, refer to Reference of Configuration Parameters in SM Administration
[page 406].

Procedure
1. On the dashboard, choose Manage SM Administration .

2. Choose Configuration Parameters.
3. Choose the options icon ( ) to expand the list of options.
4. Do one of the following:
• To see the parameter's description or modify its current value, choose Edit. If you're modifying a value,
choose or enter the new value and choose Save.
• To restore the parameter's default value, choose Reset.
Related Information
Reference of Configuration Parameters in SM Administration [page 406]

Enable internal supplier registrations

Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements
with SAP) to this:
• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using such links,
you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.
Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the
control or responsibility of SAP.
Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the
experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback
(e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and
phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example
code unless damages have been caused by SAP's gross negligence or willful misconduct.
Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities, genders,
and abilities.

432 PUBLIC Important Disclaimers and Legal Information
Important Disclaimers and Legal Information PUBLIC 433
www.ariba.com
Copyright © 2023 Ariba, Inc. All rights reserved.
This documentation, as well as the Ariba solutions, software and/or

services described in it, contain proprietary information. They are
provided under a license or other agreement containing restrictions on
use and disclosure and are also protected by copyright, patent and/or
other intellectual property laws. Except as permitted by such agreement,
no part of the document may be reproduced or transmitted in any form
by any means, electronic, mechanical or otherwise, without the prior
written permission of Ariba, Inc.
Ariba, Inc. assumes no responsibility or liability for any errors or

inaccuracies that may appear in the documentation. The information
contained in the documentation is subject to change without notice.
Ariba and Ariba products and services mentioned herein as well as

their respective logos are trademarks or registered trademarks of
Ariba, Inc. in the United States and other countries. Please see http://
www.ariba.com/legal/trademarks for additional trademark information
and notices.
Ariba Sourcing solutions (On Demand and software) are protected

by one or more of the following patents, including without limitation:
U.S. Patent Nos. 6,199,050; 6,216,114; 6,223,167; 6,230,146; 6,230,147;
6,285,989; 6,408,283; 6,499,018; 6,564,192; 6,871,191; 6,952,682;
7,010,511; 7,072,061; 7,130,815; 7,146,331; 7,152,043;7,225,152; 7,277,878;
7,249,085; 7,283,979; 7,283,980; 7,296,001; 7,346,574; 7,383,206;
7,395,238; 7,401,035; 7,407,035; 7,444,299; 7,483,852; 7,499,876;
7,536,362; 7,558,746; 7,558,752; 7,571,137; 7,599,878; 7,634,439;
7,657,461; 7,693,747; 8,364,577; and 8,392,317. Patents pending.
Other Ariba product solutions are protected by one or more of the

following patents:
U.S. Patent Nos. 6,199,050, 6,216,114, 6,223,167, 6,230,146, 6,230,147,

6,285,989, 6,408,283, 6,499,018, 6,564,192, 6,584,451, 6,606,603,
6,714,939, 6,871,191, 6,952,682, 7,010,511, 7,047,318, 7,072,061,
7,084,998; 7,117,165; 7,225,145; 7,324,936; 7,536,362; 8,364,577; and
8,392,317. Patents pending.
Certain Ariba products may include third party software or other

intellectual property licensed from a third party. For information
regarding software or other intellectual property licensed from a third
party, go to http://www.ariba.com/copyrights.cfm.
THE BEST RUN

Monitoring Supplier Risk

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Monitoring Supplier Risk

Uploaded by

Copyright:

Available Formats

PUBLIC

Document Version: 2311 – 2023-11