Defining Master Data for Control-Based Engagement Risk Assessment

Engagement attribute mappings specify which commodities, regions, and departments in the business details questionnaire trigger conditional questions in the inherent risk screening questionnaire.

For example, you might have a Yes/No question called Will the supplier access the corporate computer network? in the business details questionnaire. You can map that question to the IT services commodity category and your IT department for all regions. When a requester specifies IT services for the IT department in the engagement request filter questionnaire, the inherent risk screening questionnaire in the next step of the request displays this question.

You use the Import Engagement Attribute Mappings data import task to define attribute mappings.

If your company uses control-based engagement risk assessment projects, you must provide engagement control mappings.

This video will explain how to use the EngagementAttributeMapping.csv file to define engagement attribute mappings.

Risk types are your organization's categorizations of the kinds of risks that require assessment. Each risk control has a risk type.

You can import risk controls without defining risk types, but SAP Ariba recommends setting risk types for all of your risk control data and importing risk types first.

This table shows an example of the risk types data file.

You use the Import Risk Type Master Data data import task to define risk types. The task reads from the RiskTypes.csv file, which includes the following fields:

Risk controls specify the methods that your company uses to evaluate risk when considering engagement with a supplier or third party.

Each risk control has:

• An owner
• A decision maker
• At least one required assessment questionnaire
• A type that determines how often it is reviewed

You use the Import Risk Control Definitions data import task to define risk controls.

If your company uses control-based supplier engagement risk assessment projects, you must define risk controls.

Control Owner

• Can be an individual user, a project group, or a global user group
• Does not currently have any role in the control-based engagement risk assessment process
• The data is currently for informational purposes only

Decision Maker

• Can be an individual user, a project group, or a global user group
• Is responsible for reviewing the control and marking it as effective or ineffective in a control-based engagement risk assessment project

This video will explain how use the RiskControlDefinition.csv file to define risk controls.

Engagement control mappings specify how answers to the questions in the business details and inherent risk screening questionnaires in the engagement request trigger different risk control requirements for the engagement.

You can trigger risk control requirements based on the:

• Engagement commodities, regions, and departments and answers to conditional questions in the inherent risk screening questionnaire
• Engagement inherent risk score
  • Either alone or in combination with the engagement commodities, regions, and departments and answers to conditional questions in the inherent risk screening questionnaire

You use the Import Engagement Control Mappings data import task to define engagement control mappings.

If your company uses control-based engagement risk assessment projects, you must provide engagement control mappings.

This video will explain how use the EngagementControlMapping.csv file to define engagement control mappings.

Risk classifications are labels and descriptions that define how your organization categorizes different levels of risk. The classifications you define show in:

• Control-based engagement risk assessment projects
  • In the Inherent Risk (Commodity) and Residual Risk fields in the Engagement Summary area of the engagement page

• Issue management projects
  • In the Residual Risk field in the Issue Details area of the issue page.

Each classification is associated with a number that reflects its risk.

• For example, you can classify the risk of 1 as Low and the risk of 5 as Critical.

You can define up to 5 classifications. If you use text labels for their names, you must also define translations for those names in all of the languages used in your site.

This table shows an example of the risk types data file.

You use the Import Risk Classifications data import task to define risk classifications. The task reads from the RiskClassification.csv file, which includes the following fields:

You use the Import Translations for Risk Classifications data import task to define translations for the risk classifications you defined in RiskClassification.csv. The task reads from a CSV file that includes the following fields:

Commodity risk classifications assign risk classifications to specific commodities in control-based engagement risk assessment projects.

They identify the level of inherent risk for an engagement based on how critical its commodities and services are to your organization's operations.

• For example, you might want to classify network security services as high risk because they are critical to your organization's operations and because they always involve granting supplier or third-party employees access to your organization's computer networks.

If an engagement involves multiple commodities, the one with the highest risk classification determines the commodity-based inherent risk of the engagement.

For inherent risk, commodity risk classification maps the commodities that a requester selects when creating an engagement request to risk classifications.

• A separate risk classification data file defines the risk classifications themselves and their labels in the user interface.

You use the Import Commodity Risk Classification data import task to assign risk classifications to specific commodities. The task reads from the CommodityRiskClassification.csv file, which includes the following fields: