Configuring the Supplier Risk Engagement Project Template

The business details questionnaire includes the following default content and field mappings:

• A question about the engagement title, mapped to project.Title
• A question of type Commodity, mapped to matrix.Categories
• A question of type Region, mapped to matrix.Regions
• A question of type Department, mapped to matrix.Departments

The title question is recommended because its answer automatically becomes the name of the control-based engagement risk assessment project created from the engagement request.

• If you do not include a mapped title question, all projects created from the Supplier Risk Engagement Project Template are automatically named﹤name of business details questionnaire survey document﹥by﹤name of requester﹥.

The commodity, region, and department questions and field mappings are required for the correct functioning of the control-based risk assessment project. The answers to those questions determine:

• Which questions that trigger risk controls show in the inherent risk screening questionnaire
  • The mapping between project attributes and control trigger questions is defined in your site's engagement attribute mappings.
• The membership of project groups on the project team, if you are using buyer category assignments (the user matrix)
• Approvers for the request and the overall project, if you are using project-level conditions to create conditional approval flows

You can optionally add any or all of the following questions to the business details questionnaire:

• A question about the engagement's materiality, with answer type Yes/No, mapped to project.materiality.
  • A yes answer to this question adds a TRUE flag to the Materiality project field.
• A question about the engagement's criticality, with answer type Yes/No, mapped to project.criticality.
  • A yes answer to this question adds a TRUE flag to the Criticality project field.
• A question about whether or not the engagement requires outsourcing, with answer type Yes/No, mapped to project.outsouring.
  • A yes answer to this question adds a TRUE flag to the Outsourcing project field.

You can use the materiality, criticality, and outsourcing project fields to:

• Show or hide questions that trigger risk controls in the inherent risk screening questionnaire in addition to those added by the commodity, region, and department.
• Create conditional approval and review flows for the request and the overall project.

This video will explain how to set up the business details questionnaire in the Supplier Risk Engagement Template.

To set up the inherent risk screening questionnaire, you add questions designed to determine whether specific risk controls should be required. Each screening question must specify a unique identifier in the Supplier field mapping field using the format question.﹤question ID﹥.

• The question.﹤question ID﹥ mapping format is only supported for questions in the inherent risk screening questionnaire.

The question ID you specify is used to:

• Hide the question by default and show it only when the answers to the commodity, region, and department questions in the business details questionnaire map to the question ID in the engagement attribute mapping master data.
• Trigger the controls mapped to the question ID in the engagement control mapping master data.

You can add questions to the empty inherent risk screening questionnaire in two different ways:

Commodity, region, and department screening questions

• Add all possible related questions to the survey document without applying any visibility conditions.
• Engagement attribute mapping data in your site maps between specific commodities, regions, and departments and the IDs for these questions that you specify in the Supplier field mapping field.
• There is no need to apply visibility conditions because questions with IDs that are mapped but that do not match the commodities, regions, and departments of the current engagement request are always hidden.

Criticality, materiality, and outsourcing screening questions

• Create project conditions with a field match to criticality, materiality, and outsourcing project fields.
• Add all possible related questions to the survey document and apply those conditions as visibility conditions.

This video will explain how to set up the inherent risk screening questionnaire in the Supplier Risk Engagement Template.

Answers to the inherent risk screening questionnaire can generate a numerical inherent risk score, which you can show as a rating on the engagement page and use to create project-level conditions for conditional approval flows and other conditional content.

Inherent risk ratings based on the score of the inherent risk screening questionnaire involves the following components:

• Scoring the inherent risk screening questionnaire
• Defining risk ratings

Set up the scoring so that riskier answers result in a higher score and less risky answers result in a lower score.

You can use either point-based or percentage-based scoring to calculate request and assessment questionnaire scores.

• Point-based scoring is a more straightforward and easy-to-configure method, awarding each answer several points and adding all awarded points together to calculate the total score; however, approvers and other stakeholders must know how a given point total translates into risk levels.
• Percentage-based scoring is more complicated to configure because it awards each answer several points, then uses the question's importance and its section's weight to calculate the total score; however, it is easier for approvers and other stakeholders to interpret percentage scores intuitively.

You can choose a scoring method for each individual survey document in the supplier engagement risk assessment project template, allowing you to select the method that best meets the requirements for individual questionnaires.

The pre-grade you assign to a specific answer to a question determines the amount that the answer contributes to the total score of the questionnaire relative to other answers to the same question.

When you pre-grade a question, you assign a grade to each possible answer to the question. You can only pre-grade questions that have defined or quantifiable answers.

• In percentage-based scoring, pre-grades are always percentage values between 0 and 100, with 0 being the lowest and 100 being the highest . They specify the percentage of the question's available scoring points each answer earns. That question-level scoring point calculation rolls up into the calculation of both section-level and overall questionnaire scores based on the question's importance and its section's weight.
• In point-based scoring, pre-grades are always pointed values, that add up to section-level and overall questionnaire scores. Point-based scoring is available in the engagement request inherent risk screening questionnaire in control-bases engagement risk assessment projects in sites that include SAP Ariba Supplier Risk. It is not available in sourcing events or modular supplier management questionnaires.

You can only pre-grade questions with defined or quantifiable answers, including multiple-choice and Yes/No questions.

• You cannot pre-grade a question of type Text (single line limited) with no defined acceptable answers because a respondent can answer with any possible text, and there is no way to quantify and grade such an answer. However, if you set the Acceptable Values option to List of Choices for the question so that the respondent must choose from a set of predefined answers, you can pre-grade each answer.

A self-service configuration parameter defines the risk ratings (such as "High" and "Low") and the ranges of numerical scores for each rating in your site.

• If you use point-based scoring, the parameter is

  Application.SR.Engagement.RiskPointBasedScoreRanges

  .
• If you use percentage-based scoring, the parameter is

  Application.SR.Engagement.RiskScoreRanges

  .

The parameter defines ranges from 0 through 100 (for percentage-based scoring) or 0 or greater up to a maximum of 1000 (for point-based scoring) with no gaps between ranges.

• The format is "rating name:low value:high value." For example, Low:0:60,Medium:60:90,High:90:1000.

Control-based engagement risk assessment projects can also have an inherent risk rating based on the commodities the requester selects in the business details questionnaire.

Suppose you have defined commodity risk classifications in your site. In that case, the commodity-based rating shows in the Inherent Risk (Commodity) field in the Engagement Summary, and its corresponding numerical value is stored in the Inherent Risk Score (Commodity) project field.

Although you can set up both types of inherent risk ratings for your control-based engagement risk assessment projects, it is possible for the same project to show different and even conflicting ratings in the Inherent Risk and Inherent Risk (Commodity) fields.

• SAP Ariba recommends that you choose only one method of rating the inherent risk for engagements in order to provide clearer guidance to engagement approvers and other stakeholders.

This video will explain how to set up inherent risk ratings based on scoring in the inherent risk screening questionnaire.

Control-based engagement risk assessment projects include specialized project-level fields with corresponding project field mappings. These fields allow you to create:

• Conditional approval flows based on mapped questions in the business details questionnaire
• Visibility conditions on criticality, materiality, and outsourcing screening questions in the inherent risk screening questionnaire

You can add members to project template teams in the following two ways:

• Manually add individual users or user groups to project groups
• Dynamically add individuals or user groups to project groups based on buyer category assignments

You can dynamically add users to project groups in the Supplier Risk Engagement Project Template by using buyer category assignments. Buyer category assignments are created by a combination of the following two components:

• User matrix data, which assigns either individual users or system groups to project groups for specific commodities, regions, and departments
• Template project groups, when the Use commodity and region assignments setting is enabled

By default, assignments are based on a combination of commodity and region. If the department dimension feature is enabled in your site, buyer category assignments are based on a combination of commodity, region, and department.

An advantage of buyer category assignments is that when a user is assigned to a combination of commodity, region, and department, they are also assigned to all of the values below it in the hierarchy. Therefore, you do not have to explicitly assign users to every commodity, region, and department in your site.

You define buyer category assignments in the UserMatrix.csv file.

• SM Ops Administrators import the file in SM Administration.

You can assign individual users or global user groups to project groups.

• If you assign users, when a user leaves the company or changes roles, you must edit and re-import the User Matrix.
• If you assign user groups, when you subsequently edit who is part of the user group, you do not have to edit the User Matrix.

You can assign a user to multiple commodities, regions, or departments in separate rows.

Assignments can be deactivated.

You must configure project groups in the Supplier Risk Engagement Project Template to use buyer category assignments. To do so, complete the following steps:

1. Open the template for editing.
2. On the Team tab, choose Actions → Team Members → Edit.
3. Edit an existing project group or add a new project group.
4. For Use commodity and region assignments, choose Yes.

The control-based engagement risk assessment workflow is defined by a specific pattern of phases and tasks on the Tasks tab of the project template.

The default Supplier Risk Engagement Template project template does not include any tasks or phases.

• You must add them when setting up the template.

Control-based engagement risk assessment projects use the following phases with tasks that define the project workflow:

• Request Approval (required)
• Trigger Evidence and Control Process (required)
• Evidence Collection (required)
• Risk Control Effectiveness Review (required)
• Project Approval (required)
• Post Project Approval (optional)
• Change Request Initial Approval (required for the change request workflow)
• Change Request Final Approval (required for the change request workflow)
• Project Archiving (required for the advanced archiving workflow)

Workflow order for phases in control-based engagement risk assessment projects is defined by the Choose where the tasks in this phase should be applied setting. Do not use predecessors for these phases.

In most cases, predecessors define workflow order for tasks in control-based engagement risk assessment projects. Workflow order is never related to the display order of the tasks on the Tasks tab in the project template.

Approval tasks in control-based engagement risk assessment projects support the ability for requesters or a member of the Supplier Risk Engagement Governance Analyst to add ad hoc approvers after the request is submitted rather than using an approval flow defined in the template task.

• To enable this ability, add the approval task but keep its approval flow empty.