Setting up SAP Ariba Supplier Risk

CONFIDENTIAL2019-12

Setting up SAP Ariba Supplier RiskSAP Ariba Supplier Risk

© 2

019

SAP

SE o

r an

SAP affi

liate

com

pany

. All

right

s re

serv

ed.

THE BEST RUN

Content

Topics about getting started with SAP Ariba Supplier Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Overview of SAP Ariba Supplier Risk setup and key assumptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Workflows for setting up SAP Ariba Supplier Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Topics about managing SAP Ariba Supplier Risk users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9SAP Ariba Supplier Risk user groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9How to add users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11How to edit users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Topics about importing supplier-related data in SM Administration. . . . . . . . . . . . . . . . . . . . . . . . 14About importing supplier-related data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14How to import supplier data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Importing suppliers from sourcing (manual supplier migration). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

How to manually migrate supplier organization data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Options for migrating ERP vendor IDs to the unified vendor model. . . . . . . . . . . . . . . . . . . . . . . . . . 22Supplier organization-to-unified-vendor field mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

How imported supplier data affects risk corporate enrichment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Supplier data import file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Supplier contact data import file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Defining supplier qualifications for control-based engagement risk assessment projects. . . . . . . . . . . . . 33

Supplier qualification data import file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Preferred supplier data import file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38User matrix (buyer category assignment) data import file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Supplier risk data import file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Risk control status data import file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47Risk assessment status data import file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Topics about configuring risk exposure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Supplier risk exposure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52Understanding how risk exposure is calculated. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Understanding the risk exposure configuration interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54How to specify the data sources used in risk exposure calculations. . . . . . . . . . . . . . . . . . . . . . . . . . . . 56How to set category weights and thresholds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57How to define values and risk exposures for fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59How to inactivate risk incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Topics about supplier enrichment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Workflow for UI for admin review of enriched supplier data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

2 C O N F I D E N T I A LSetting up SAP Ariba Supplier Risk

Content

How to flag suppliers for future enrichment review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

How to perform manual enrichment reviews. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

How to explicitly trigger the automated enrichment process in SAP Ariba Supplier Risk. . . . . . . . . . . . . .65

How to register a third-party provider license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

How to map suppliers and ERP commodity codes for forced labor. . . . . . . . . . . . . . . . . . . . . . . . . 67

How to make an ineligible supplier eligible for monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

How to append external IDs to supplier profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

How to edit a supplier's external ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Topics about setting up engagement risk assessment projects. . . . . . . . . . . . . . . . . . . . . . . . . . . 74Control-based engagement risk assessment projects versus legacy engagement risk assessment projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Prerequisites for setting up control-based engagement risk assessments. . . . . . . . . . . . . . . . . . . . . . . 76

Optional features for control-based engagement risk assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Workflow for setting up control-based engagement risk assessment projects. . . . . . . . . . . . . . . . . . . . . 82

Restrictions for control-based engagement risk assessment projects. . . . . . . . . . . . . . . . . . . . . . . . . . 85

Topics about supplier management project template basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Topics about editing and publishing project templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Topics about upgrading supplier management projects to the latest template version. . . . . . . . . . . . 90

Topics about setting up control-based engagement risk assessment projects. . . . . . . . . . . . . . . . . . . . 102

About risk controls in SAP Ariba Supplier Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

The control-based engagement risk assessment process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Understanding the components of the control-based risk assessment process. . . . . . . . . . . . . . . . 106

About the supplier risk engagement project template for control-based engagement risk assessment projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Restrictions, requirements, and helpful hints for setting up the supplier risk engagement project template for control-based engagement risk assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Setting up the business details questionnaire in the engagement request. . . . . . . . . . . . . . . . . . . . .114

Setting up the inherent risk screening questionnaire in the engagement request. . . . . . . . . . . . . . . . 116

Topics about setting up inherent risk ratings for control-based engagement risk assessment projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Setting up phases and tasks for control-based engagement risk assessment projects. . . . . . . . . . . 130

Setting up supplemental engagement questionnaires. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Supplier field mappings for control-based supplier engagement risk assessment projects. . . . . . . . .136

Topics about setting up modular supplier management questionnaires for control-based engagement risk assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

About modular supplier management questionnaire project templates. . . . . . . . . . . . . . . . . . . . . . 139

About modular supplier management questionnaires in control-based engagement risk assessment projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Setting up SAP Ariba Supplier RiskContent C O N F I D E N T I A L 3

Restrictions, requirements, and helpful hints for modular supplier management questionnaire project templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Supplier form or questionnaire closing, reopening, and due dates. . . . . . . . . . . . . . . . . . . . . . . . . . 146How to create a modular supplier management questionnaire project template. . . . . . . . . . . . . . . . 147How to set up a modular supplier management questionnaire. . . . . . . . . . . . . . . . . . . . . . . . . . . . 149How to set up separate workflows for new and updated modular supplier management questionnaires. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Topics about setting up issue management projects for engagement risk assessments. . . . . . . . . . . . . 155The issue management process for risk controls and control-based engagement risk assessment projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155The legacy engagement risk issue management process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157About the issue management project template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Restrictions, requirements, and helpful hints for setting up the issue management project template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Setting up residual risk based on issue probability and severity in control-based engagement risk assessment projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Customizing the issue page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163Setting up access control for editing sections of the issue form. . . . . . . . . . . . . . . . . . . . . . . . . . . 164Tasks and phases in the default issue management workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Suppliers field mappings for supplier engagement risk assessment issue management projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167

Topics about setting up other project elements for engagement risk assessment and related projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Topics about adding content to a supplier form or questionnaire. . . . . . . . . . . . . . . . . . . . . . . . . . .169Topics about adding project groups and team members to project templates. . . . . . . . . . . . . . . . . .192Topics about setting up supplier form and questionnaire approvals. . . . . . . . . . . . . . . . . . . . . . . . 204Topics about customizing notifications for risk assessment and related projects. . . . . . . . . . . . . . . 219

Setting up legacy risk assessment projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229The legacy risk assessment process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230Workflow for setting up legacy risk assessment projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Prerequisites for setting up legacy risk assessment projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Working with the legacy risk assessment project template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Creating legacy engagement requests and engagement-level risk assessments. . . . . . . . . . . . . . . . 244

Topics about running administrative reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263How to run the Supplier Risk Summary report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263How to run new updates for risk compliance reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Topics about site configuration parameters for setting up SAP Ariba Supplier Risk. . . . . . . . . . . 266Site configuration parameters for engagement risk assessment projects. . . . . . . . . . . . . . . . . . . . . . . 266Self-service site configuration parameters for engagement risk assessment projects. . . . . . . . . . . . . . 267

Allow engagement requests with no supplier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267Define percentage-based scoring ratings and ranges for engagement questionnaires . . . . . . . . . . . 268


Content

Define point-based scoring ratings and ranges for engagement questionnaires . . . . . . . . . . . . . . . . 268Enable advanced archiving workflow for engagement projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Enable advanced engagement editing and canceling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Enable advanced send assessment workflow for engagement projects. . . . . . . . . . . . . . . . . . . . . . 270Enable change project owner action on the engagement page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270Enable editability access control for the issue form. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271Add issue assignees to the assignee project group only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271Enable manage project team action on the engagement page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272Enable task enhancements in engagement projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272Hide names of empty questionnaire sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273Process engagement request questionnaires in the background . . . . . . . . . . . . . . . . . . . . . . . . . . .274Process supplemental engagement questionnaires in the background . . . . . . . . . . . . . . . . . . . . . . 274Require issues for ineffective risk control decisions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275Restrict engagement project visibility by role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275Restrict issue project visibility by role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276Set batch size for creating assessment questionnaires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276Show only registered suppliers in engagement projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277

Revision history. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Setting up SAP Ariba Supplier RiskContent C O N F I D E N T I A L 5

Topics about getting started with SAP Ariba Supplier Risk

Overview of SAP Ariba Supplier Risk setup and key assumptions [page 6]

Workflows for setting up SAP Ariba Supplier Risk [page 6]

Overview of SAP Ariba Supplier Risk setup and key assumptionsSAP Ariba Supplier Risk provides detailed data on potential supplier risk in a number of areas, including financial, regulatory, and legal risk.

Category and supplier managers use this risk data to:

● Decide which suppliers to approve for procurement, sourcing, and other activities.● Segment suppliers by risk levels and risk category.● Identify problem suppliers and initiate risk assessment and due diligence activities.

Setting upSAP Ariba Supplier Risk involves configuring risk exposure calculation, making sure that users have permission to work with risk data, and importing suppliers into the database so that they are associated with their risk data. It can also involve setting up a supplier or third-party engagement risk assessment process by importing master data and setting up project templates.

NoteThe topics about setting up SAP Ariba Supplier Risk assume that your site deployment includes the loading of all non-SAP Ariba Supplier Risk-specific master data (such as users).

Related Information

Workflows for setting up SAP Ariba Supplier Risk [page 6]

Workflows for setting up SAP Ariba Supplier RiskSAP Ariba Supplier Risk is deployed in one of three scenarios: as a standalone solution, as an addition to SAP Ariba Supplier Lifecycle and Performance, or as an addition to other existing SAP Ariba solutions. Each scenario involves a different workflow.



Setting up SAP Ariba Supplier Risk as a standalone solution

If your company does not license any other SAP Ariba solutions, you set SAP Ariba Supplier Risk up as a standalone solution. To do that, you need to:

1. Set up the users who will be monitoring supplier risk with the appropriate permissions. [page 9]2. Import your supplier data into the database. [page 14]

For this workflow, you import the following types of data:○ Suppliers○ (Optional) Preferred Supplier list data and Supplier qualification data

You only need to import preferred supplier data if your company designates preferred supplier status. The data can be used in risk exposure calculations, and supplier 360° profiles indicate whether or not the supplier has preferred status. Control-based engagement risk assessment projects use supplier qualification data to recommend suppliers for engagements.

○ Supplier Risk Data3. (Optional) Edit the risk exposure configuration workbook to specify how you want to calculate risk exposures

for your company's suppliers. [page 52]4. (Optional) If you plan to use supplier or third-party engagement risk assessments, set up the control-based

engagement risk assessment project template and associated issue management and modular supplier management project templates [page 82].

Setting up SAP Ariba Supplier Risk with SAP Ariba Supplier Lifecycle and Performance

If your organization uses SAP Ariba Supplier Lifecycle and Performance for supplier management, the tasks for setting it up and setting up SAP Ariba Supplier Risk overlap because both solutions use the same supplier database. In this case, you need to edit the risk exposure configuration workbook to specify how you want to calculate risk exposures for your company's suppliers. [page 52] and then make sure that the users who will be monitoring supplier risk have the appropriate permissions. [page 9] Typically, those users will be SAP Ariba Supplier Lifecycle and Performance category or supplier managers If you plan to use a supplier or third-party engagement risk assessment process, in addition to setting up supplier management projects, you will need to set up the control-based engagement risk assessment project template and associated issue management and modular supplier management project templates [page 82].

Supplier data import steps are the same for SAP Ariba Supplier Lifecycle and Performance and SAP Ariba Supplier Risk, although for SAP Ariba Supplier Lifecycle and Performance you import additional supplier-related data, and for SAP Ariba Supplier Risk you import risk data. You only need to import supplier-related data once for both solutions. See the Supplier management setup and administration guide for descriptions of all of the additional required data import tasks.

Setting up SAP Ariba Supplier Risk with other SAP Ariba solutions but without SAP Ariba Supplier Lifecycle and Performance

Other SAP Ariba solutions such as Rozwiązania SAP Ariba Strategic Sourcing (including SAP Ariba Supplier Information and Performance Management (classic architecture)) and Rozwiązania SAP Ariba Procurement , you

Setting up SAP Ariba Supplier RiskTopics about getting started with SAP Ariba Supplier Risk C O N F I D E N T I A L 7

manage your suppliers in a different database than the one used by SAP Ariba Supplier Risk and SAP Ariba Supplier Lifecycle and Performance. In this case, you need to:

1. Set up the users who will be monitoring supplier risk with the appropriate permissions. [page 9]2. Add supplier data. The steps you use to add supplier data to the newest solution in your SAP Ariba landscape

depends on the solution combination and the order of deployment. See Supplier risk data import for important information on how to add supplier data in this case.

3. Import some supplier-related data into the database. [page 14]In this workflow, you import the following types of data:○ (Optional) Preferred Supplier list data and Supplier qualification data

You only need to import preferred supplier data if your company designates preferred supplier status. The data can be used in risk exposure calculations, and supplier 360° profiles indicate whether or not the supplier has preferred status. Control-based engagement risk assessment projects use supplier qualification data to recommend suppliers for engagements.

○ Supplier Risk Data4. Edit the risk exposure configuration workbook to specify how you want to calculate risk exposures for your

company's suppliers. [page 52]5. (Optional) If you plan to use supplier or third-party engagement risk assessments, set up the control-based

engagement risk assessment project template and associated issue management and modular supplier management project templates [page 82].



Topics about managing SAP Ariba Supplier Risk users

SAP Ariba Supplier Risk user groups [page 9]

How to add users [page 11]

How to edit users [page 13]

SAP Ariba Supplier Risk user groupsManaging SAP Ariba Supplier Risk users involves making sure that the users in your site are members of the appropriate SAP Ariba Supplier Risk user groups.

NoteBefore you set up supplier management users, they must be created in your site. Typically, enterprise users are imported as master data as part of SAP Ariba deployment of your site. You can manually create enterprise users [page 11]. For details, see the Common Data Import and Administration Guide.

The following table provides a high-level description of the user groups that are pertinent to SAP Ariba Supplier Risk. For complete details, see the Rozwiązania SAP Ariba Strategic Sourcing and Supplier Management group descriptions.

Members of this group... Can...

Customer Administrator Import site master data, including commodity, region, department, user, and risk master data, and manually create new users and add groups to existing users

Customer User Admin Create new users and add groups to existing users.

Supplier Risk Manager ● View supplier risk information on the Supplier Risk dashboard tab and in supplier 360° profiles.

● View modular questionnaires in supplier 360° profiles.● Perform tasks in the SM Administration area, including

importing and exporting supplier-related data.● Configure risk exposure calculation and run risk metrics

reports.● Register licenses for third-party providers of supplier risk

data.

Setting up SAP Ariba Supplier RiskTopics about managing SAP Ariba Supplier Risk users C O N F I D E N T I A L 9


Supplier Risk User View supplier risk information on the Supplier Risk dashboard tab and in supplier 360° profiles and receive and manage alerts for followed suppliers.

View modular questionnaires in supplier 360° profiles.

Supplier Risk Engagement Requestor (Control-based engagement risk assessment projects) Create engagement requests and view the engagements they have requested and add ad hoc approvers for those engagements if no approvers are defined in the template. View related issues for which they are the creator, assignee, or an approver or reviewer. View modular questionnaires in supplier 360° profiles.

(Legacy engagement risk assessment projects) Create engagement requests, view the engagements they have requested, and fill out the internal risk assessments for which they have been specified as recipients. View related issues for which they are the creator, assignee, or an approver or reviewer.

Supplier Risk Engagement Analyst (Legacy engagement risk assessment projects) Be specified as recipients of and fill out internal risk assessments and run compliance report updates.

NoteThis group does not have any permissions in control-based engagement risk assessment projects and is deprecated for them..

Supplier Risk Engagement Expert (Control-based engagement risk assessment projects) Be designated as a control decision maker and view engagements for which they are a control decision maker. View related issues for which they are the creator, assignee, or an approver or reviewer. View modular questionnaires in supplier 360° profiles.

(Legacy engagement risk assessment projects) Be specified as recipients of and fill out internal risk assessments.

Supplier Risk Engagement Governance Analyst (Control-based engagement risk assessment projects) View, edit, cancel, or delete all engagement requests; add ad hoc approvers for all engagements if no approvers are defined in the template; and be designated as a control decision maker. View all related issues. View modular questionnaires in supplier 360° profiles.

(Legacy engagement risk assessment projects) Send out or skip risk assessments for an engagement request, be specified as recipients and fill out internal risk assessments, and specify ad hoc approvers for engagement requests and risk assessments with no defined approval flow.




Template Creator Edit and publish templates for both control-based and legacy engagement risk assessment projects and issue management projects.

SM Modular Questionnaire Manager Send modular questionnaires to suppliers as standalone questionnaires. This permission is not required for users who own the To Do task for sending assessments in control-based engagement risk assessment projects.

Create, edit, and publish modular supplier management questionnaire projects when also a member of the Template Creator group.

SM Ops Administrator Import and export data in the SM Administration area.

SM ERP Administrator Configure integration with an external ERP system in the SM Administration area..

How to add usersYou can add individual users from Ariba Administrator as necessary.

Prerequisites

You must be a member of the Customer Administrator or Customer User Admin group in order to add users to a site.

Context

If you need to add many users, it is more efficient to run data import tasks.

Procedure

1. On the dashboard, click Manage Administration .2. In Ariba Administrator, click User Manager, and then click Users.3. On the Users page, click Create New User.4. On the General tab, enter:


○ Type: This field can be set to Enterprise User, Third Party Enterprise User (SAP Ariba), or Supplier User.○ User ID: A unique internal identifier for the user. For security reasons, this field cannot contain an

apostrophe.○ Name: The display name for the user.○ Organization: Do not modify the value in this field.○ Business Email Address: The user’s business email address.

User email addresses are checked for validity. Valid email addresses be entered, even in test environments. Invalid email addresses trigger an error message and must be corrected. By default, an email address must include a valid, existing domain. (The domain name is the part of the email address that appears after the @ sign.)SAP Ariba Customer Support can set a parameter to turn off the domain portion of the validity check, in which case only syntax is checked. The name of the parameter is Application.Base.EnforceEmailDomainCheck.

NoteIf SAP Ariba Customer Support configured a set of valid email address domain names specifically for your site, any domain you use in the Business Email Address field must match a domain in that set, unless you select the Allow External Email Domain option (see the next item).

○ Allow External Email Domain - Check this checkbox to allow an unapproved email address domain for this user.

○ Business Phone Number - The user’s business phone number.○ Business Fax Number - The user’s business fax number.○ Locale - The user’s default locale.○ Default Currency - The user’s default currency. You must use a currency code defined on the

Reference - System Level Codes worksheet.○ Timezone - The user’s time zone.○ Supervisor - The user’s supervisor.

5. On the Invitation tab set your preference for user password generation and login invitation:

○ Check the checkbox if you want Ariba Administrator to generate a temporary password and send a login invitation message to the user immediately after you click Save.

○ Clear the check box (the default) if you want to manually generate a temporary password before Ariba Administrator sends a login invitation message..

6. On the Ship To Addresses tab, click Add/Remove to display the available shipping addresses and enter the user’s ship-to address.

7. On the Billing Addresses tab, click Add/Remove to display the available billing addresses and enter the user’s billing address.

8. On the Groups tab, click Add/Remove to display the available groups. Select one or more groups to assign to the new user and click Done.

9. Click Save to save your changes, or click Cancel to return to the previous page without saving your changes.

Results

If you allowed SAP Ariba to generate a temporary password for the user, the user receives the system-generated email invitation containing a temporary password and instructions for logging in to SAP Ariba. When the user clicks the URL in the invitation, the user is prompted to create a new password.



How to edit usersYou can modify existing users from Ariba Administrator.

Prerequisites

You must be a member of the Customer Administrator or Customer User Admin group in order to edit users.

Context

If you need to edit many users at once, it is more efficient to run data import tasks.

Procedure

1. On the dashboard, click Mange Administration .2. In Ariba Administrator, click User Manager, and then click Users.3. Search for and select the user you want to edit.4. Choose Edit from the Actions pull-down menu.5. On the General tab, edit the user’s name, email address, phone number, fax number, locale, default currency,

supervisor, and department. Do not edit the default values in the Type and Organization fields.6. On the Ship To Addresses tab, click Add/Remove to display the available shipping addresses and edit the

user’s ship-to address.7. On the Billing Addresses tab, click Add/Remove to display the available billing addresses and edit the user’s

billing address.8. On the Groups tab, click Add/Remove to display the available groups and edit the groups to which the user

belongs.9. Click Save to save your changes, or click Cancel to return to the previous page without saving the changes.


Topics about importing supplier-related data in SM Administration

About importing supplier-related data [page 14]

How to import supplier data [page 16]

Importing suppliers from sourcing (manual supplier migration) [page 19]

How imported supplier data affects risk corporate enrichment [page 26]

Supplier data import file format [page 26]

Supplier contact data import file format [page 31]

Defining supplier qualifications for control-based engagement risk assessment projects [page 33]

Preferred supplier data import file format [page 38]

User matrix (buyer category assignment) data import file format [page 41]

Supplier risk data import file format [page 44]

Risk control status data import file format [page 47]

Risk assessment status data import file format [page 49]

About importing supplier-related dataSupplier-related data defines the suppliers and supplier contacts in your site as well as their characteristics, such as qualified or preferred status, and risk data. You import supplier-related data using the Data import or export task in SM Administration.

SAP Ariba Supplier Risk uses the following supplier-related data:

This supplier data... Defines...

Supplier data [page 26] The suppliers in your site.

If you have an existing SAP Ariba solution that does not include SAP Ariba Supplier Lifecycle and Performance, see Supplier risk data import.

If your SAP Ariba solution includes SAP Ariba Supplier Lifecycle and Performance, it shares a supplier database with SAP Ariba Supplier Risk and you do not have to import suppliers separately.

Otherwise, you import this CSV file containing your supplier data to define the suppliers in your SAP Ariba Supplier Risk solution.



This supplier data... Defines...

Supplier contact data [page 31] The contacts for your suppliers.

Supplier qualification data [page 34] Qualification statuses for your suppliers.

Control-based engagement risk assessment projects can optionally use qualified status to recommend suppliers during the supplier selection step of the engagement request. If your solution includes SAP Ariba Supplier Lifecycle and Performance, the qualification statuses designated as part of the lifecycle process drive recommendations in the engagement request. If your solution does not include SAP Ariba Supplier Lifecycle and Performance, you can import qualification supplier data using a supplier qualification CSV file.

Preferred supplier data [page 38] Preferred statuses for your suppliers.

SAP Ariba Supplier Risk can optionally use preferred supplier status as part of its risk exposure calculations. If your solution includes SAP Ariba Supplier Lifecycle and Performance, the preferred status levels designated as part of the lifecycle process are included in risk exposure calculation. If your solution does not include SAP Ariba Supplier Lifecycle and Performance, you can import preferred supplier data for use in risk exposure calculations using a preferred supplier CSV file.

Buyer category assignment (user matrix) data [page 41] User assignments to project or global user groups for specific combinations of commodity, region, and department.

Supplier risk data [page 44] Risk-related information such as spend and relationship type for your suppliers, as well as data for custom fields and risk exposures from external systems.How to import supplier data [page 16]

You can download samples of supplier data CSV files from the Data import or export area of SM Administration. On the dashboard, click Manage SM Administration to access this area.

NoteThe sample files you download include a column for supplier name, which is included in exported data for reference only. Do not include it in the data files you import. The exceptions to this rule are the name1 through name4 columns in the file you import using the Suppliers data import task. Those columns must be included in the imported file.

Related Information


Setting up SAP Ariba Supplier RiskTopics about importing supplier-related data in SM Administration C O N F I D E N T I A L 15

How to import supplier data

Importing supplier-related data makes it available for supplier management, risk, and procurement activities.

Prerequisites

You must be a member of the SM ERP Admin, SM Ops Admin, Supplier Risk Manager, or Customer Administrator group to import supplier data in SM Administration.

NoteFor customers who use guided buying, you must belong to both the Supplier/Customer Manager and SM Ops Admin groups.

If you are not importing suppliers for guided buying and your site includes existing SAP Ariba solutions with supplier data, you must first obtain that data before importing it.

The suppliers referenced by supplier data files, such as supplier contacts and supplier factory data, must already exist in the database before you import the files, either as a result of importing suppliers first or because they were created manually in the user interface. The exception to this rule is for supplier qualification data and preferred supplier list data, which offer an option to create the suppliers referenced in the file if they do not already exist. However, if you are importing supplier data in Rozwiązania SAP Ariba Supplier Management , the data in those files is very limited and importing supplier data first is strongly recommended.

Context

You must import all supplier data for suppliers exported from SAP Ariba cloud solutions in CSV files. There is no restriction on file naming. Supplier data import supports the following encoding types for CSV files:

● UTF-8● US ASCII● ISO-8859-1● IUTF-16BE● UTF-16LE● UTF-16

Unless otherwise specified, all supplier data imports add new records and update existing records. For example, if you import supplier data with a new ERP vendor ID, the import operation adds the new supplier record to the database. If you import supplier data with an existing ERP vendor ID and source system, but with a change to some other data such as a different address, the import operation updates the existing supplier record with the new address. If a data file contains an existing record with no changes, the import operation ignores that record.



Procedure

1. From the dashboard, navigate to SM Administration. Available paths depend on the groups to which your user belongs.○ In sites that include SM Administration, members of the SM Ops Administrator, SM ERP Admin, or

Customer Administrator group can select Manage SM Administration .○ Members of the Supplier Risk Manager group can access SM Administration from the SAP Ariba

Supplier Risk dashboard: click the settings icon (), then choose Import data Link to SM admin .2. Click Data import or export.3. On the Import tab, choose the type of data you want to import from the File type dropdown menu. Depending

on your solution, you might or might not use some of these data types:

This data type... Imports...

Suppliers Suppliers from outside SAP Ariba in a CSV file.

Supplier from Sourcing Suppliers exported from SAP Ariba cloud solutions in SupplierOrganizationExport.zip. Only import the SupplierOrganizationExport.zip file using this task. Do not import the CSV files it contains individually.

CautionOnly use this data import task to migrate existing supplier organizations from another SAP Ariba solution. There is important information that you must be aware of about how to migrate suppliers with the correct ERP vendor IDs and address state information before you use this task. If you are:○ Adding suppliers from an existing SAP Ariba solu

tion to SAP Ariba Supplier Risk without SAP Ariba Supplier Lifecycle and Performance or SAP Ariba Supplier Information and Performance Management (new architecture), see the topics on migrating supplier organizations to the unified vendor model in the setup guide.

○ Migrating suppliers and supplier profiles from an existing SAP Ariba solution to SAP Ariba Supplier Lifecycle and Performance or SAP Ariba Supplier Information and Performance Management (new architecture), see Migrating suppliers to the unified vendor model. That guide also contains important information about the order in which to perform various migration steps, including this data import, as well as other migration requirements.

Supplier contacts Supplier contacts in a CSV file.


This data type... Imports...

Supplier qualification data A list of supplier qualifications by commodity and code and region in a CSV file.

Preferred supplier list data A list of preferred suppliers by commodity code and region in a CSV file.

Supplier factory data Information about supplier factories in a CSV file.

Purchasing organization data The purchasing organizations associated with the supplier, including defaults, in a CSV file.

Custom display names Custom labels for registration and qualification statuses in a CSV file.

Primary supplier manager The names of primary internal contacts for suppliers in a CSV file.

User Matrix User assignments to commodities, regions, and supplier management project groups in a CSV file.

Supplier Risk Data Risk data for suppliers in SAP Ariba Supplier Risk.

4. (Optional) For supplier qualification data or preferred supplier list data, check Create supplier if required to add any suppliers in the data that don't already exist to the database.

If you use this option, the preferred of qualified suppliers are created in the database with SM IDs but no names. To display them correctly in the user interface, you must import complete data for them using the Suppliers or Suppliers from sourcing data import option, specifying those SM IDs in the supplier data files. Importing the suppliers first, rather than creating them from the preferred or qualified supplier data, is recommended.

5. Click Choose File and navigate to the file you want to import.6. Choose the encoding that the data file you want to import uses from the Encoding Type dropdown menu.7. Click Import.

Next Steps

Click the Import summary tab to view the status of your data import.

TipIf you are using Microsoft Internet Explorer and you do not see any information in the Status column of the Import Summary tab, you need to adjust the document mode compatibility setting of your browser. To do so, right click anywhere in the browser window and choose Inspect element to display the inspection pane at the bottom of the browser window. Click the Emulation tab, choose 10 from the Document Mode dropdown menu, and close the inspection pane.



Related Information

Supplier data import file format [page 26]Supplier contact data import file format [page 31]Supplier qualification data import file format [page 34]Preferred supplier data import file format [page 38]User matrix (buyer category assignment) data import file format [page 41]Supplier risk data import file format [page 44]Topics about configuring risk exposure [page 52]How to manually migrate supplier organization data [page 19]

Importing suppliers from sourcing (manual supplier migration)If you are adding SAP Ariba Supplier Risk to another SAP Ariba solution package, you migrate your existing suppliers to the SAP Ariba Supplier Risk database using the Suppliers from Sourcing data import task rather than importing them directly.

This manual migration is an initial step that adds existing SAP Ariba suppliers to the supplier database used by SAP Ariba Supplier Risk.

How to manually migrate supplier organization data [page 19]

Options for migrating ERP vendor IDs to the unified vendor model [page 22]

Supplier organization-to-unified-vendor field mappings [page 23]

How to manually migrate supplier organization data

Manually migrating supplier data involves exporting the SupplierOrganizationExport.zip file from Ariba Administrator and importing it into SM Administration.

Prerequisites

To export data from Ariba Administrator, you must be a member of the Customer Administrator group. To import data in SM Administration, you must be a member of the SM Ops Administrator group. SAP Ariba customer support administrators can also perform both tasks.

Understand your options for migrating ERP vendor IDs in your existing supplier data to the unified vendor model [page 22]. Two settings in the SupplierOrganizationExport.zip import operation affect the migration of ERP vendor ID.


Understand your options for migrating CorporateAddress.PostalAddress.State data [page 23]. A setting in the SupplierOrganizationExport.zip affects the migration of supplier address states, regions, or provinces.

Context

The SupplierOrganizationExport.zip file contains two CSV files: SupplierOrganization_Export.csv, which contains supplier data, and SupplierOrganizationOranizationIDPart_Export.csv, which contains organization ID data for suppliers.

SAP Ariba recommends that you divide the supplier organization export into batches to prevent performance problems. For reference, importing 10,000 suppliers in SM Administration takes approximately 45 minutes. Note that the file you import in SM Administration must be named SupplierOrganizationExport.zip.

If you make copies of the exported ZIP file to divide the data into batches, make sure to change each ZIP file name back to SupplierOrganizationExport.zip before importing it in SM Administration. The name of the file you import in SM Administration must be SupplierOrganizationExport.zip, and that ZIP file must contain a file called SupplierOrganization_Export.csv for supplier data and a file called SupplierOrganizationOranizationIDPart_Export.csv for organization ID data. Any change to the names of these files causes the import to fail. If you are using a Mac, zip and unzip these files using a terminal command line, not the folder utility; files zipped using the folder utility do not import successfully.

CautionDo not use Microsoft Excel to open or edit supplier data CSV files. Microsoft Excel treats number data as text and strips out leading 0s, which can cause suppliers to migrate with incorrect ERP vendor IDS, among other serious problems. Use a text editor that does not reformat data, such as Notepad or Notepad ++, to edit supplier data CSV files.

When you break up your supplier data into batches, be aware that you must keep the supplier data and the organization ID mappings for an individual supplier in the same import ZIP file. If a supplier has a valid entry in SupplierOrganization_Export.csv but their organization IDs are not included in the SupplierOrganizationOranizationIDPart_Export.csv file in the same import ZIP file, the supplier is migrated with either the System ID (if you use that option) or an ERP vendor ID generated by Rozwiązania SAP Ariba Supplier Management and beginning with "VDR" rather than the organization ID you plan to migrate. There is no opportunity to correct the ERP vendor ID after migration. On the other hand, any entry in SupplierOrganizationOranizationIDPart_Export.csv with a Parent.SystemID that does not match a SystemID in SupplierOrganization_Export.csv in the same import ZIP file is ignored, since the data in SupplierOrganization_Export.csv is required to migrate the supplier successfully.

Procedure

1. Export supplier organization data by performing the following steps:

a. On the dashboard, choose Manage Administration .

b. Choose Site Manager Data Import/Export .c. Click the Export tab.



d. Perform a search for the data export task Export Supplier Organizations (CSV).e. Click Export.f. On the Specify an adapter source dropdown menu, choose All.g. Click OK.

2. Save the exported SupplierOrganizationExport.zip file to the location of your choice. Do not rename it.

3. Open the ZIP file, then open the CSV files in it, perform the following actions:

○ Delete the first line, which specifies UTF-8 encoding.○ Delete the suppliers you do not want to include in the first migration batch.○ Delete any customer organizations.○ Save your changes and re-zip the files.

4. Import the first batch of supplier organizations into the unified vendor model by performing the following steps:

a. On the dashboard, choose Manage SM Administration .b. Click Data import and export.c. On the File type dropdown menu, choose Suppliers from Sourcing.d. Click Choose File.e. Navigate to SupplierOrganizationExport.zip and select it.f. (Optional) To migrate organization IDs in one or more domains other than sap, psoft, or oracle to ERP

vendor ID, enter the domain names, separated by commas, in the Optional custom domain names field.g. (Optional) To migrate the supplier organizations' SystemIDs to ERP vendor ID if no matching sap, psoft,

oracle, or custom organization ID domain is found, check Consider Object Id as ERP Vendor Id.h. (Optional) If your supplier organization CorporateAddress.PostalAddress.State is longer than 2

characters, to include it in the migration, check Consider state as stateName.i. Click Import.

The Import Summary tab shows the status of your import.5. Repeat these steps to import all of your batches of supplier organizations.

Results

After a successful import, migrated suppliers are active in your site and are visible in search results.

Related Information

Supplier organization-to-unified-vendor field mappings [page 23]


Options for migrating ERP vendor IDs to the unified vendor model

When you migrate supplier organizations to the unified vendor model, you can migrate either their SystemIDs or organization IDs from specific domains to the ERP vendor ID field. Otherwise, Rozwiązania SAP Ariba Supplier Management assigns migrated suppliers an ERP vendor ID with a "VDR" prefix.

ERP vendor ID is a required field for suppliers in the unified vendor model. When you migrate supplier organization data for ERP suppliers to the unified vendor model, it is important to populate the ERP vendor ID field with the value that is also used in your ERP system or systems, since there is currently no way of updating the ERP vendor ID in the unified vendor model after migration. There are several options for migrating ERP vendor IDs to the unified vendor model, depending on where you store those IDs in your supplier organizations and whether you use manual or auto migration tools. Rozwiązania SAP Ariba Supplier Management migrate organization IDs to the unified vendor model as follows:

● Mandatory migration of organization IDs in the sap, oracle, or psoft domain:When you migrate supplier organizations to the new unified vendor model using either manual or auto migration tools, Rozwiązania SAP Ariba Supplier Management always look for organization IDs in the domains sap, oracle, or psoft and migrates their associated values to ERP vendor ID using the following order of prioritization:○ Organization IDs in the sap domain are always migrated to the ERP vendor ID if they are present.○ If there is no organization ID in the sap domain, but there is an organization ID the oracle domain, that ID

is migrated to the ERP vendor ID.○ If there is no organization ID in the sap domain, but there is an organization ID the psoft domain, that ID is

migrated to the ERP vendor ID.○ If there is no organization ID in the sap domain, but there are organization IDs in both the oracle and

psoft domains, the ID in the psoft domain is migrated to the ERP vendor ID.The domain name must be an exact match to the values specified here, including the use of all lowercase letters.

● Optional migration of organization IDs in custom domains: If you use one or more domains other than sap, oracle, or psoft to store ERP vendor IDs, you can specify those domain names as a comma-separated list in the Optional custom domain names field when importing SupplierOrganizationExport.zip. If the import does not encounter an organization ID in the domains sap, oracle, or psoft for a supplier, it migrates the value associated with the first matching custom domain you specify in the Optional custom domain names field as the ERP vendor ID. This option is only available for manual migration; it is not available for auto migration.

● Optional migration of SystemID to ERP vendor ID: You can use theConsider Object Id as ERP Vendor Id data import option to migrate the value in the supplier organization SystemID field to ERP vendor ID. The SystemID field is a field in supplier organization import and export files, including the SupplierOrganizations.zip file you use to migrate your supplier organization data. The SystemID value is also stored as an organization ID value in the buyersystemid domain. This option is only available for manual migration; it is not available for auto migration.If you created supplier organizations for your ERP suppliers via data import and specified ERP vendor IDs in the SystemID field, the Consider Object Id as ERP Vendor Id option allows you to easily migrate them to the unified vendor model. However, note that supplier organizations created manually in the user interface are automatically assigned an SAP Ariba-specific buyersystemid value that begins with ACM. In supplier organizations, this value can be updated manually in the user interface, but cannot be updated automatically via data import. If you use this data import option to migrate ERP vendor IDs, whatever value is associated with the buyersystemid domain will migrate as the supplier's ERP vendor ID.



● Automatic assignment of an Rozwiązania SAP Ariba Supplier Management -generated ERP vendor ID: If a migrating supplier does not have an organization ID in the sap, oracle, or psoft domain, and either it doesn't have an organization ID in one of the custom domains you specified or you did not specify any custom domains, and you did not use the option to migrate the SystemID, Rozwiązania SAP Ariba Supplier Management automatically assign it an ERP vendor ID that begins with "VDR" during migration. This assignment occurs in both manual and auto migration.

Keep this behavior in mind and make sure that the ERP suppliers you plan to migrate have the correct ERP values in the organization ID domain or SystemID field, depending on which migration tools and options you plan to use. For most organization IDs, you can update values either in the user interface or via data import. You can only update values in the buyersystemid domain, which is also the organization's SystemID, in the user interface.

TipBe aware that if you plan to use an existing SAP Ariba integration toolkit or SOAP web services configuration to integrate a limited number of fields in the unified vendor model with your ERP system after migration, only organization IDs in the sap domain are synchronized to the unified vendor model with these integration methods. For updates to existing suppliers via these integration methods, the organization ID value in the sap domain must match the supplier's ERP vendor ID in the unified vendor model for updates to be successful. When creating new suppliers in the unified vendor model via these integration methods, only organization IDs in the sap domain are converted to ERP vendor IDs; if a supplier does not have an organization ID in the sap domain, Rozwiązania SAP Ariba Supplier Management assigns an ERP vendor ID that begins with "VDR.". Keep this requirement in mind when planning your migration and post-migration integration strategies.

Supplier organization-to-unified-vendor field mappings

Migrating supplier organizations automatically moves their data to specific fields in the unified vendor model.

The following table describes which fields in the unified vendor model the data in supplier organizations are added to.

User interface field

SupplierOrganization_Export.csv field Unified vendor model field

Preferred Language PreferredLanguage.UniqueName

vendor.vendorInfoExt.languageCode

Main Email Address CorporateEmailAddress N/A




ID SystemID For manual migration, depending on your settings when importing SupplierOrganizationExport.zip, ERP vendor ID can be populated from an organization ID [page 22] or the SystemID field, or is generated automatically.

For auto migration, ERP vendor ID can be populated from an an organization ID [page 22] field or generated automatically.

Minimum Annual Revenue AnnualRevenueMinimum.Amount N/A

Customer IsCustomer N/A

State of Incorporation StateOfIncorporation N/A

Main Phone CorporatePhone vendor.address.phone

Number of Employees (estimate) NumberOfEmployees N/A

Main Fax CorporateFax vendor.address.fax

Address Name CorporateAddress.UniqueName N/A

N/A AnnualRevenueMinimum.Currency.UniqueName

N/A

City in Corporate Address CorporateAddress.PostalAddress.City

vendor.address.city

Supplier IsSupplier N/A





State/Province/Region in Corporate Address

CorporateAddress.PostalAddress.State

vendor.address.state for data of two characters or less. The vendor.address.state state field has a maximum length of 2 characters.

If the data in CorporateAddress.PostalAddress.State is longer than 2 characters, it is not migrated unless you use manual migration and check the Consider State as State Name option. With this option, CorporateAddress.PostalAddress.State data of up to 6 characters is automatically migrated to vendor.address.stateName.

NoteThe vendor.address.state field shows in supplier profiles in the user interface. The vendor.address.stateName does not.

Maximum Revenue Amount AnnualRevenueMaximum.Amount N/A

Corporate URL CorporateURL vendor.address.url

N/A HasTradingRelationship N/A

Year Founded YearFounded N/A

Country in Corporate Address CorporateAddress.PostalAddress.Country.UniqueName

vendor.address.countryCode

Organization Name Name vendor.vendorInfo.name1

N/A IsManaged N/A

Approved value in Approval Status field IsOrgApproved vendor.vendorInfo.approved with a value of TRUE if IsOrgApproved is 1 or 2 and FALSE otherwise

Type of Organization OrganizationType N/A

N/A HasSyncRelationship N/A




N/A PreferredCurrency.UniqueName

vendor.vendorInfoExt.preferredCurrencyUniqueName

N/A AnnualRevenueMaximum.Currency.UniqueName

N/A

Street in Corporate Address CorporateAddress.PostalAddress.Lines

vendor.address.line1

Postal Code in Corporate Address CorporateAddress.PostalAddress.PostalCode

vendor.address.postalCode

How imported supplier data affects risk corporate enrichmentTo add enriched corporate information to supplier profiles, SAP Ariba Supplier Risk uses specific data about the supplier from the supplier data import file.

To enrich the supplier's profile with country data, the countryCode field of the supplier data import file must contain a valid country code for the supplier. To enrich the supplier's profile with other corporate information, such as number of employees or year founded, the data import for the supplier must include data in the city, state, or countryCode field. If this data is not included, but the supplier does have a valid Dun & Bradstreet ID in the dunsId field, in some cases SAP Ariba Supplier Risk can extrapolate from that ID in order to add enriched corporate information to the supplier's profile.

Supplier data import file formatImporting supplier data creates suppliers in the database.

You use the Suppliers data import task to import suppliers into your site. The task reads from a CSV file that contains the following fields:

Field Description Required? Maximum field length

erpVendorId The ID of the supplier in the integrated ERP system.

Yes 50

(SAP ERP maximum field length is 10)




smVendorId The ID that SAP Ariba assigns to the supplier.

This field includes SM IDs in supplier data exports, and is therefore also included in the supplier data sample file. This field's presence in supplier data imports is not required. It is ignored in imports. SM IDs are always added to suppliers by SAP Ariba.

No

masterVendorId Not currently used. No 255

sourceSystem The system in which the supplier was created; for example, SM for SAP Ariba or SAP for SAP ERP.

Yes 255

name1 The primary name of the supplier.

Yes 125


name2 An alternate name for the supplier.

No 125


name3 A second alternate name for the supplier.

No 125


name4 A third alternate name for the supplier.

No 125


phone The supplier phone number. No 40

fax The supplier fax number. No 40

line1 The first line of the supplier address.

At least one of the following fields is required: line1, line2, line3, city, state, postalCode, or countryCode

255



line2 The second line of the supplier address.


255

line3 The third line of the supplier address.


255

postalCode The postal code of the supplier address.


10

poBox The post office box number of the supplier address.

No 10

city The city of the supplier address.


40

state The state or province of the supplier address.


6




stateName The state of the migrated supplier organization from the organization stateName field.

This field is included in supplier data exports for informational purposes, and is therefore also included in the supplier data sample file. However, it only includes data from migrated supplier organizations if the Suppliers from sourcing data import task uses the Consider State as State Nameoption. For details on this option, see Migrating supplier organizations to the unified vendor model.

This field's presence in supplier data imports is not required. If you re-import a previously exported file, do not edit or delete the values in this column.

No. This field is ignored in supplier data imports.

countryCode The two-character ISO country code of the country for the supplier address.

At least one of the following fields is required: line1, line2, line3, city, state, postalCode, or countryCode.

Either partyTaxID or countryCode is required.

countryCode is required for country enrichment in SAP Ariba Supplier Risk solutons.

3 (minimum is 2)

taxIdentificationNumberTypeCode

A code that identifies the type of the tax identification number.

No 2

partyTaxID The supplier party tax ID. Either partyTaxID or countryCode is required

20

longPartyTaxID The long format of the supplier party tax ID.

No 60



dunsId The supplier Dun & Bradstreet D-U-N-S number.

No 11

active Whether the supplier described by the current row is active (TRUE) or inactive (FALSE). If this field is empty, the row is flagged as active.

No

s4OrgSystemId Used internally only. Migrated suppliers always include an s4OrgSystemId.

This field is included in supplier data exports for informational purposes, and is therefore also included in the supplier data sample file. However, it is only used internally by SAP Ariba. This field's presence in supplier data imports is not required. If you re-import a previously exported file, do not edit or delete the values in this column.

No

Unless otherwise indicated, the minimum length of required fields is 1. In sites integrated with SAP ERP, data sent to SAP ERP is truncated based on the SAP ERP maximum field length.

The following example shows lines of a supplier CSV file, as well as the mandatory header:

erpVendorId,masterVendorId,sourceSystem,name1,name2,name3,name4,phone,fax,line1,line2,line3,postalCode,poBox,city,state,stateName,countryCode,taxIdentificationNumberTypeCode,partyTaxID,longPartyTaxID,dunsId,active,s4OrgSystemId VDR100001,,SAP,ABC Company,,,,555-555-5555,555-555-5556,1234 Main Street,,,12345,,Anytown,CA,,USA,02,AB1234,ABCD12345678910,987654321,TRUE,,

Related Information




Supplier contact data import file formatSupplier contacts are the supplier employees with whom your company interacts, and the primary contact receives questionnaires by default.

To specify multiple contacts for the same supplier, add a unique row for each contact.

You use the Supplier Contacts data import task to add supplier contacts to suppliers. The task reads from a CSV file that contains the following fields:

Field Description Required?

erpVendorId The ID of the supplier in the integrated ERP system.

Yes

supplierName The name of the supplier. Supplier contact data exports include this field for informational purposes, and it is therefore also included in the supplier contact sample data file. This field's presence in supplier contact data imports is not required. In imports, erpVendorId associates a contact with a supplier and supplierName is ignored.

No

sourceSystem The system in which the supplier was created; for example, SM for SAP Ariba or SAP for SAP ERP.

Yes

firstName The first name of the supplier contact. No

middleName The middle name of the supplier contact. No

lastName The last name of the supplier contact. No

countryCode The country code of the supplier contact's land line telephone number. Rozwiązania SAP Ariba Supplier Management automatically insert a plus sign (+) before the country code in user interface display.

No

telephone The supplier contact's land line telephone number.

No



mobileCountryCode The country code of the supplier contact's mobile telephone number. Rozwiązania SAP Ariba Supplier Management automatically insert a plus sign (+) before of the country code in user interface display

No

mobilePhone The supplier contact's mobile telephone number.

No

email The supplier contact's email address, which is the default username for supplier contacts created via data import (the supplier contact can edit their username on Ariba Network). The email address must be unique; two different supplier contacts cannot have the same email address.

Yes

type The type of the supplier contact, which must match one of the types defined for your site.

No

locale The ISO code for the supplier contact's language.

No

title The supplier contact's title. No

categories The commodities for which the supplier contact is responsible.

NoteThis code must match the commodity master data loaded in your Rozwiązania SAP Ariba Strategic Sourcing site.

No

regions The regions for which the supplier contact is responsible.

NoteThis code must match the region master data loaded in your Rozwiązania SAP Ariba Strategic Sourcing site.

No




active A Boolean value that specifies whether the assignment described by the current row is active (TRUE) or deactivated (FALSE). If this field is empty, the row is flagged as active. Deactivated contacts are removed from the supplier.

No

timeZoneID The ID of the timezone where the supplier contact is located. To obtain a list of valid timezone IDs, in the Data import or export area of SM Administration, choose Supplier contacts from the File type dropdown menu, then click Export available time zones.

No

isPrimary A Boolean value that specifies whether or not the supplier contact is the primary contact for the supplier. Valid values are TRUE and FALSE.

If none of a supplier's contacts are designated the primary contact, the first contact for the supplier in the file becomes the primary contact.

If more than one of a supplier's contacts is designated the primary contact, the last contact for the supplier that is designated as primary in the file becomes the primary contact.

Yes

The following example shows lines of a supplier contact CSV file, as well as the mandatory header:

erpVendorId,firstName,middleName,lastName,countryCode,telephone,mobileCountryCode,mobilePhone,email,type,locale,title,categories,region,active,timeZoneID,isPrimary VND123456,Francine,Marie,Peugot,33,555-555-5555,,,[email protected],,fr,,4213,FRA,TRUE,Europe/Paris,TRUE

Defining supplier qualifications for control-based engagement risk assessment projectsControl-based supplier engagement risk assessment projects use the supplier qualifications data to recommend suppliers during supplier selection in the engagement request.

Although qualification data defines qualification status by commodity, region, and department, control-based engagement risk assessment projects only use commodity. If all of the commodities specified in the first step of


the engagement request, the filters questionnaire, match commodities for which the supplier has a qualification status of Qualified, the supplier shows as recommended in the third step of the engagement request, supplier selection. Partial matches do not result in recommendations. Recommended suppliers must still complete all required assessment questionnaires, and engagement risk assessment projects that include them still require reviews for all open controls, but qualified suppliers have typically submitted information to your organization as part of a qualification process, and are therefore likely to be candidates for fast-tracking.

If your site includes SAP Ariba Supplier Lifecycle and Performance, suppliers can attain Qualified status either through data import or through qualification projects. If your site does not include SAP Ariba Supplier Lifecycle and Performance and you want to recommend qualified suppliers to engagement requesters, you must import qualification data in SM Administration.

Supplier qualification data import file format

Supplier qualification data is used to designate the suppliers qualified for specific categories and regions in the guided buying feature for SAP Ariba Buying and Invoicing, and for supplier qualifications that were achieved outside of SAP Ariba Supplier Lifecycle and Performance.

You use the Supplier qualification data data import task to designate qualified suppliers. The task reads from a CSV file that contains the following fields:


sourceSystem For existing SAP Ariba suppliers, if the SupplierOrganizationOrganizationIdPart_Export.csv file contains a Domain and Value entry for the supplier, use the Domain in this field. If not, use SM.

For suppliers imported from outside SAP Ariba, use the sourceSystem specified in Supplier.csv.

Yes for existing suppliers.

For suppliers that do not already exist in the database, if you check the Create supplier if required option during data import, you can leave this field blank. The supplier is added with the default SM source system.

vendorId For existing SAP Ariba suppliers, if the SupplierOrganizationOrganizationIdPart_Export.csv file contains a Domain and Value entry for the supplier, use the Value in this field. If not, use the Parent.SystemID.

For suppliers imported from outside SAP Ariba, use the erpVendorId specified in Supplier.csv.

Yes




category The commodity code ID for which qualifi-cation status applies.


Yes

region The code for the region in which the qualification status applies. This code must match the region master data loaded in your site.

NoteIf your organization uses guided buying, you need to define your regions using ISO 3 country codes, which means that the region code needs to be 3 digits instead of 2. For example, the United States is represented by USA, and Germany is represented by DEU.

TipIf you are a guided buying customer, make sure that users have a matching ship-to country in the user files in Rozwiązania SAP Ariba Procurement .

NoteAt this time, ALL is not a supported region value for guided buying customers.

Yes



businessUnit The department ID for which the qualifi-cation status applies.

NoteThis code must match the department master data loaded in your Rozwiązania SAP Ariba Strategic Sourcing site.

This field is only used if the business unit matrix enhancement feature is enabled in your site. If it is not, leave it blank.

Yes

status The supplier's qualification status. The following are valid status values:

● NotQualified● QualificationStarted● InQualification● PendingQualificationAppr

oval● PendingResubmit● QualificationRestricted● QualificationRejected● Disqualified● Qualified● Expired

If you use display mappings to customize what statuses are called in your site, you must till use these values to import supplier qualification data.

Yes

startDate The date from which the supplier qualifi-cation status is valid for the specified commodity and region, in the format YYYY-MM-DD. This date is for informational purposes only and does not trigger an automatic change of qualification status

No




endDate The date to which the supplier qualifica-tion status is valid for the specified commodity and region, in the format YYYY-MM-DD. This date is for informational purposes only and does not trigger an automatic change of qualification status

No

name1 The name of the supplier. Yes if you use the Create supplier if required option during data import to create suppliers based on the data in this file. Otherwise No.

requalificationEligibleDate The date from which a supplier with a disqualification or expired qualification is eligible for requalification for the specified commodity and region, in the format YYYY-MM-DD. This date is for informational purposes only and does not trigger an automatic change of qualification status.

No

To specify the same supplier as qualified for multiple categories or regions, add a unique row for each combination of category, region, and supplier.

The following example shows lines of a supplier qualification CSV file, as well as the mandatory header:

sourceSystem,vendorId,category,region,businessUnit,status,startDate,endDate,name1,requalificationEligibleDate SAP,VDR1000001,1412,USA,IT,Qualified,2017-02-01,2018-01-31,ABC Company, SAP,VDR1000002,14,USA,HR,Disqualified,2017-02-01,2017-12-31,XYZ Company,2018-01-01

NoteIn sites that include SAP Ariba Supplier Lifecycle and Performance, you can set qualification statuses for a supplier using either qualification data import or qualification and disqualification projects. SAP Ariba Supplier Lifecycle and Performance is designed to maintain qualifications over the long term using projects. Imported qualifications do not have associated qualification or disqualification projects. Keep in mind the following behavior for imported qualifications:

● If a qualification status was set using an approved qualification or disqualification project, you cannot use data import to update it. If a supplier was qualified using a qualification project, you must disqualify them using a disqualification project. If a supplier was disqualified using a disqualification project, you must requalify them using a qualification project. If a supplier was qualified using a qualification project with an expiration date and that qualification has expired, you must requalify them using a qualification project.

● If a qualification status was set using data import, you can use a qualification or disqualification project to update it. In this case, a category or supplier manager can start a disqualification or requalification in the supplier 360° profile. SAP Ariba Supplier Lifecycle and Performance then creates the appropriate qualification or disqualification project based on the imported qualification commodities, regions, and departments. Once that project is created, you continue managing the qualification status using projects..


● The qualification end (expiration) and requalification eligibility dates in qualification data import are for information only and do not trigger updates to qualification status. For example, if you use data import to define qualified status with an end date of 1/31/2019, the qualification status does not change to expired on 2/1/2019. Since there was no underlying qualification project to set the status, you cannot start a project-based requalification for a qualification that you defined using data import and that has since passed the expiration date. The qualification retains the original qualified status unless you update it using another data import.

Preferred supplier data import file formatPreferred supplier data is used to designate preferred suppliers in the guided buying feature for SAP Ariba Buying and SAP Ariba Buying and Invoicing and in SAP Ariba Supplier Risk, and for suppliers that were created outside of SAP Ariba in SAP Ariba Supplier Lifecycle and Performance.

To specify the same supplier as preferred for multiple categories, add a unique row for each combination of category and supplier.

You import data about your list of preferred suppliers using the Preferred Supplier list data file type and a CSV file that contains the following fields:


sourceSystem For existing SAP Ariba suppliers, if the SupplierOrganizationOrganizationIdPart_Export.csv file contains a Domain and Value entry for the supplier, use the Domain in this field. If not, use SM.

For suppliers imported from outside SAP Ariba, use the sourceSystem specified in Supplier.csv.

Yes

vendorId For existing SAP Ariba suppliers, if the SupplierOrganizationOrganizationIdPart_Export.csv file contains a Domain and Value entry for the supplier, use the Value in this field. If not, use the Parent.SystemID.

For suppliers imported from outside SAP Ariba, use the erpVendorId specified in Supplier.csv.

Yes




category The commodity code ID for which the supplier is preferred.


Yes

region The code for the region in which the supplier is preferred. This code must match the region master data loaded in your site.

NoteIf your organization uses guided buying, you need to define your regions using ISO 3 country codes, which means that the region code needs to be 3 digits instead of 2. For example, the United States is represented by USA, and Germany is represented by DEU.

TipIf you are a guided buying customer, make sure that users have a matching ship-to country in the user files in Rozwiązania SAP Ariba Procurement .

NoteAt this time, ALL is not a supported region value for guided buying customers.

Yes



businessUnit The department ID for which the preferred status applies.

NoteThis code must match the department master data loaded in your Rozwiązania SAP Ariba Strategic Sourcing site.

This field is only used if the business unit matrix enhancement feature is enabled in your site. If it is not, leave it blank.

Yes

startDate The date from which the supplier is preferred for the specified commodity and region, in the format YYYY-MM-DD.

No

endDate The date to which the supplier is preferred for the specified commodity and region, in the format YYYY-MM-DD.

No

level The supplier's preferred status level.

This status level must be one of the UniqueName values in the master data used to define preferred supplier levels in your site.

Yes

active A Boolean value that specifies whether the preferred supplier level described by the current row is active (TRUE) or deactivated (FALSE). If this field is empty, the row is flagged as active.

The following example shows one line of a preferred supplier CSV file, as well as the mandatory header:

sourceSystem,vendorId,category,region,startDate,endDate,level,active SM,VDR100001,4212,North America,,,1,TRUE

If your company decides to make a different supplier preferred for that category and region instead, an administrator can make that change by importing a preferred supplier CSV file with the following lines:

sourceSystem,vendorId,category,region,startDate,endDate,level,active SM,VDR100001,4212,North America,,,1,FALSE SM,VDR100002,4212,North America,,,1,TRUE



User matrix (buyer category assignment) data import file formatAssigning users or global user groups to supplier processes involves importing a CSV file that defines user or group assignments to commodities, regions, departments, and project groups.

NoteAssignments to departments are only made in sites with the business unit matrix enhancement feature enabled. If that feature is not enabled in your site, department data in the user matrix data import file is ignored.

For example, you can assign the specific user John Smith to computer equipment in North America for the IT department for the Project Owner project group. The supplier request template adds the Project Owner project group to the approval flow of all supplier requests. When a user at your company submits a supplier request indicating that the supplier provides computer equipment in North America for the IT department, John Smith automatically becomes a member of the Project Owner project group for that request, and therefore becomes an approver for it.

Or you can create a custom global user group called IT Category Managers and add users John Smith, Susan Harris, Don Cortez, and Jane Yang to it. You can then assign the group to computer equipment in North America for the IT department for the Project Owner project group. When a user at your company submits a supplier request indicating that the supplier provides computer equipment in North America for the IT department, the IT Category Managers user group becomes a member of the Project Owner project group for that request, and any user in the IT Category Managers group can approve the request. Assigning a group rather than an individual user is useful because if one user leaves the company, other members of the group are still assigned as approvers. You can add or remove members of user groups at any time.

You can assign either an individual user or a global user group to a combination of commodities, regions, departments and project groups. You can also assign a user to only a region (by specifying the region and using All for commodity and department), or to only a commodity (by specifying the commodity and using All for region and department), or to only a department (by specifying department and using All for commodity and region).

Note● When you assign a user to a commodity or region in one level of the hierarchy, that user is also assigned to

all commodities and regions below it. For example, if you assign John Smith to North America, he is assigned all three countries in North America and to all cities and states in those countries.

● If the current buyer category assignment (user matrix) data in your site does not include an assignment that exactly matches the commodities, regions, and departments in a project, a matching algorithm identifies an assignment further up in the commodity, region, or department hierarchy and uses that assignment instead. See below for a detailed explanation of how this matching works.

● When you assign a user to a project group, that group must also exist in the appropriate template.

You use the User Matrix data import task to specify user assignments to categories and regions. The task reads from a CSV file that contains the following fields:


Field Description

commodityCodeDomain The domain of the commodity code; for example, unspsc.

commodityCode The code for the commodity to which to assign the user or group. This code must match the commodity master data loaded in your SAP Ariba site.

region The region to which to assign the user or group. This code must match the commodity master data loaded in your SAP Ariba site.

businessUnit The department to which to assign the user or group. This code must match the commodity master data loaded in your SAP Ariba site.

userName The username of the user to which you are assigning commodities, regions, departments, and project groups. Use this field only for assignments to individual users. Leave it blank for assignments to global user groups. Rows that contain values in both the userName and groupUniqueName fields cause import errors.

groupUniqueName The unique name of the global system or custom user group to which you are assigning commodities, regions, departments, and project groups.

You can use either SAP Ariba default (SYSTEM) or your own custom (AribaManaged or External) user groups. Group uni

que names are visible in user group data exports from Site

Manager Data Import/Export and in the group descrip

tions you see when clicking a group name in User Manager

Groups in Ariba Administrator.

Use this field only for assignments to global user groups. Leave it blank for assignments to individual users. Rows that contain values in both the userName and groupUniqueName fields cause import errors.

projectGroup The name of the project group to which the user is assigned. Note that this group must exist in the project; the assignment does not automatically create it.

passwordAdapter The user's password adapter, usually PasswordAdapter1.

active A Boolean value that specifies whether the assignment described by the current row is active (TRUE) or deactivated (FALSE). If this field is empty, the row is flagged as active.



The following example shows lines of a user matrix CSV file, as well as the mandatory header:

commodityCodeDomain,commodityCode,region,businessUnit,userName,groupUniqueName,projectGroup,passwordAdapter,activeunspsc,All,North America,Corporate,tjones,,Legal,PasswordAdapter1,TRUEunspsc,4213,All,Corporate,ljenkins,,Project Owner,PasswordAdapter1,TRUEunspsc,All,Los Angeles,Corporate,grooney,,Project Owner,PasswordAdapter1,TRUEunspsc,All,San Diego,grooney,,Project Owner,PasswordAdapter1,TRUEunspsc,All,All,IT,,IT Category Managers,Project Owner,PasswordAdapter1,TRUE

To assign a single user to multiple commodity, region, and department combinations, you must create separate rows, one for each assignment. This example uses two rows to assign the same user, George Rooney, as project owner for all commodities in Los Angeles and San Diego for the Corporate department.

You can use the active field to update assignments by deactivating the currently assigned user and assigning another user in their place. For example, if Terry Jones leaves the company, and you can replace her with George Smith by importing a user matrix CSV file with the following lines:

commodityCodeDomain,commodityCode,region,businessUnit,userName,groupUniqueName,projectGroup,passwordAdapter,activeunspsc,All,North America,HR,tjones,,Legal,PasswordAdapter1,FALSE unspsc,All,North America,HR,gsmith,,Legal,PasswordAdapter1,TRUE

If the current buyer category assignment (user matrix) data in your site does not include an assignment that exactly matches the commodities, regions, and departments in a project, a matching algorithm identifies an assignment further up in the commodity, region, or department hierarchy and uses that assignment instead. The matching algorithm starts with the hierarchy that has the lowest-level value and, if it does not identify an assignment, continues with the hierarchy with the next-lowest value. If all project hierarchy values are at the same level, the matching algorithm prioritizes the commodity hierarchy. For example, say that commodity, region, and department hierarchies include the following values:

Level Commodity Region Department

0 All All All

1 42 EMEA Manufacturing

2 4213 Western Europe Product Manufacturing

3 421324 Germany Logistics

4 42132489 Munich Transportation

If a project has a commodity of 42, a region of Germany, and a department of Product Manufacturing, and there is no buyer category assignment that exactly matches those values, the matching algorithm starts looking for assignments higher up in the region hierarchy, since the region is the lowest-level value. If it does not find any matches up to the highest level of the region hierarchy, it then starts looking for assignments higher up in the department hierarchy, since the department is the second lowest-level value. However, if a project has a commodity of 4213, a region of Western Europe, and a department of Product Manufacturing and there is no exactly matching assignment, the matching algorithm starts looking for assignments higher up the commodity hierarchy, since when all hierarchy values are at the same level, it prioritizes commodity.

When looking for assignments higher up in a hierarchy, the matching algorithm iterates through progressive searches until it finds an assignment. For example, say the user matrix (buyer category assignments) in a site include the following assignments:


User Commodity Region Department

A 421324 All All

B 4213 All All

For a project with a commodity of 42132489, a region of EMEA, and no department set (a department of 0), the matching algorithm starts with those exact values and then, when it does not find a match, performs additional searches progressively higher up the commodity hierarchy in the first iteration:

Search Commodity Region Department Match?

1 42132489 EMEA 0 No

2 42132489, 421324 EMEA 0 No

3 42132489, 421324, 4213

EMEA 0 No

4 42132489, 421324, 4213, 42

EMEA 0 No

5 42132489, 421324, 4213, 42, All

EMEA 0 No

In this case, since the available buyer category assignments all specify a region of All, and the project region is EMEA, the matching algorithm does not find an assignment by looking higher up the commodity hierarchy alone. In the second iteration, it looks higher up the region hierarchy:


1 42132489, 421324, 4213, 42, All

EMEA, All 0 No

In this case, since the available buyer category assignments all specify a department of All, and the project department is 0, the matching algorithm does not find an assignment by looking higher up in the commodity hierarchy and then in the region hierarchy. In a third iteration, it looks higher up the department hierarchy:


1 42132489, 421324, 4213, 42, All

EMEA, All 0, All Yes

Based on these iterations, the matching algorithm identifies User A (the user with the more specific commodity) for the buyer category assignment.

Supplier risk data import file formatThe supplier risk data import file allows you to add risk-related information such as spend and relationship type to your suppliers; import data for custom fields; and import risk exposures from external systems.

Information about the supplier risk data file is also available on the Data Dictionary tab of the supplier risk exposure configuration workbook. You can manage risk data in the workbook and export it to a CSV file for import into your site.



You use the Supplier Risk Data import task to import supplier data. The task reads from a CSV file that includes the following fields:


ERP_VENDOR_ID The ID of the supplier in the integrated ERP system.

Yes 50 (SAP ERP maximum field length is 10)

SOURCE_SYSTEM The system in which the supplier was created; for example, SM for SAP Ariba or SAP for SAP ERP.

Yes 255

RISK_LEVEL A descriptive term that you can use to characterize overall risk. You can use field settings and values in the risk configu-ration workbook to define a set of values such as "Low," "Medium," and "High" to mirror the values used in your data warehouse for risk level data.

No 10

RISK_EXPOSURE A risk exposure modeled outside of SAP Ariba Supplier Risk. This exposure might be licensed from third parties and might be predictive in nature. It is generally a number between 0 and 1 or between 1 and 100.

No 7 (minimum is 2)

REVENUE_IMPACT The estimated overall impact that this supplier has on your revenue, which is also known as Value At Risk, over the calendar span defined in SPEND_PERIOD.

No

REVENUE_IMPACT_DOLLAR

The REVENUE_IMPACT in US dollars.

No 20 (minimum of 2)

SPEND The amount that you have spent with this supplier over the calendar span defined in SPEND_PERIOD.

No 20 (minimum is 2)



SPEND_UOM_CODE An currency code for the currency used for REVENUE_IMPACT and SPEND.

No 10

SPEND_PERIOD The general calendar span to which the SPEND and REVENUE_IMPACT amounts apply; for example, annually, yearly, quarterly, or monthly.

No 50

RELATIONSHIP_TYPE An internal indicator of the nature of your relationship with a supplier. You can use field settings and values in the risk exposure configuration workbook to define a set of values such as Critical, Non-Critical, and Strategic.

No 10

SUPPLIER_RELATIONSHIP_TYPE

An internal indicator of the status of your relationship with a supplier. You can use field settings and values in this workbook to define a set of values such as Validated or Sole Source.

No 10

ONE_TIME_SUPPLIER An indicator of whether or not you intend to purchase from this supplier more than once. Valid values for this field are Y and True. Blank values indicate that the supplier is not a one-time supplier

No

RISK_RATING An internal rating derived from your internal scorecard or from a third party. The value in this field can be letters (A, BB), numbers (1, 2, 3), or a combination (AB1).

No

VENDOR_STATE_DATE The date when the supplier first became your vendor in the format YYYY-MM-DD.

No




FIELD_01 - FIELD_15 A custom field that you can implement in order to map other data to the SAP Ariba Supplier Risk model. Use the field settings and values in the risk exposure configuration workbook to define custom fields.

No 255

Risk control status data import file formatRisk control status data is information about the effectiveness or ineffectiveness of different risk controls for specific suppliers that you have collected in tools or processes outside of SAP Ariba Supplier Risk.

Importing this data allows you to leverage your existing control effectiveness data in control-based engagement risk assessment projects rather than needing to re-assess the effectiveness of those same controls for those same suppliers in SAP Ariba Supplier Risk.

You use the Risk Control Status Data import task in SM Administration to import risk control effectiveness data into your site. The task reads from a CSV file that contains the following fields:

Field Description Required:

CONTROL_ID Specifies the unique identifier for the risk control as defined in the ControlID field of your site's risk control definition master data.

Yes

CONTROL_NAME Specifies the name of the risk control as defined in the ControlName field of your site's risk control definition master data.

Yes

CONTROL_TYPE Specifies the type of the control as defi-ned in the ControlType field of your site's risk control definition master data. Valid values are Vendor, Service, and Engagement.

Yes


Field Description Required:

CATEGORY_UNIQUE_NAME Specifies the commodity categories associated with the control status for the specified supplier. Enter one or more commodity codes, separated by semicolons, in this field. The commodity codes you specify must be the codes used in your site's commodity master data.

Yes for controls of type Service, which always apply to specific combinations of commodity and supplier.

No for controls of type Vendor and Engagement, which apply to a specific supplier or engagement respectively regardless of the commodities involved. For these control types, commodity data in this field is ignored during import and is not saved.

CONTROL_STATUS Specifies the status of the control. Valid values are Effective and Ineffective. They are not case sensitive.

No

SM_VENDOR_ID Specifies the SM ID of the supplier. SAP Ariba automatically generates an SM vendor ID for each supplier in the database.

Yes

EXPIRATION_DATE Specifies the date and time after which the specified status is no longer valid in the format YYYY-MM-DD or "YYYY-MM-DD, HH:MM:SS". For example, 2018-08-24 or "2019-08-24, 05:08:26".

If you specify an expiration date for a control of type Vendor or Service with a status of Effective, the control remains effective until that date. After the expiration date, it requires a new effectiveness review in the next control-based engagement risk assessment project in which it is required.

Expiration dates for controls of type Engagement are ignored, since they require a new control review in every engagement risk assessment project in which they are required.

No

The following example shows lines of a risk control status CSV file, as well as the mandatory header:

CONTROL_ID,CONTROL_NAME,CONTROL_TYPE,CATEGORY_UNIQUE_NAME,CONTROL_STATUS,SM_VENDOR_ID,EXPIRATION_DATE Critical_data,Critical Data Control,Service,43232307,Effective,S234567815,"2020-08-24, 00:00:00"



NoteThe related export of risk control status data only includes effective status data that was previously imported. It does not include any data on risk control effectiveness statuses that control decision makers set manually during control reviews in control-based engagement risk assessment projects.

Risk assessment status data import file formatIf you have risk-related assessments or questionnaires maintained in an external system, uploading header information for these documents allows you to make use of that data in your engagement requests.

Importing this data allows you to reference legacy and other externally-collected risk assessment data from within SAP Ariba Supplier Risk. For example, if you are changing risk assessment tools, you may have unexpired assessments in your legacy tool; rather than asking suppliers to re-respond to new questionnaires on the same topics, you can import the statuses of these assessments.

NoteImported risk assessment status data is used only by engagement requests created specifically for control-based engagement risk assessment projects.

You use the Risk assessment status data import task in SM Administration to import risk assessment data into your site. The task reads from a CSV file that contains the following fields:


ASSESSMENT_NAME This must map to the Title of an already defined Modular Questionnaire.

Yes

ASSESSMENT_TYPE Questionnaire type for the modular questionnaire as defined in the Name field of your site's Questionnaire Type master data.

Yes

VISIBILITY Indicates whether this assessment is Internal or External.

No

ASSESSMENT_STATUS The status of this assessment. Possible values are:

● Denied● Approved

Yes

RISK_SCORE The score for this assessment. Not currently used.

No

TARGET_SCORE Target score for this assessment. Not currently used.

No



EXPIRATION_DATE Date and time after which this assessment status is no longer valid, in format yyyy-MM-dd hh24:mm:ss. For example, "2020-02-05 22:52:26". After the status expiration date, the corresponding modular questionnaire is triggered based on the assessment name and type.

No

NoteIf this is left blank, the assessment remains active indefinitely.

SM_VENDOR_ID Specifies the SM ID of the supplier. Yes

SOURCE Here you can specify the location of the original assessment.

NoteDocument location URL's can be uploaded using this text field. From there, a user can copy a URL and paste it into a browser. For reasons of application security, uploaded URL's cannot be displayed as links.

No

NoteThis column supports up to 2048 bytes; number of characters supported depends on the language and database.

CautionImport tasks do not validate for every error that might exist in the import file.

● Assessment name is validated but there is no validation reconciling other uploaded values with data already configured in the realm. Verify before proceeding that the import file contains valid supplier ID's and assessment types.

● You can also upload risk control status data (see Setting Up SAP Ariba Supplier Risk). There is no validation reconciling data uploaded for risk control status with data uploaded for risk assessment status.

The following example shows lines of a risk assessment status CSV file, as well as the mandatory header:

ASSESSMENT_NAME,ASSESSMENT_TYPE,VISIBILITY,ASSESSMENT_STATUS,RISK_SCORE,TARGET_SCORE,EXPIRATION_DATE,SM_VENDOR_ID,SOURCE Group Data Protection Policy,Evidence,External,Approved,,,,S1530626,http://filesystem/location

NoteThe related export of risk assessment status data includes only the risk assessment status data in the current realm that was previously imported. It does not include status data from supplier responses to modular questionnaires completed as part of control-based engagement risk assessment projects.

Troubleshooting

If your import does not succeed, verify the validity of the data in the import file.



● Make sure your import file includes values in all rows for the fields that are required.● If the result includes the error message Error occurred while importing assessment status data, possible

reasons include::○ Missing or invalid ASSESSMENT_NAME○ Missing SM_VENDOR_ID○ Invalid EXPIRATION_DATE

If you find that the Assessments table for an engagement request does not include an imported assessment status you expected to see there:

● Review the import file and verify that this combination of ASSESSMENT_NAME, ASSESSMENT_TYPE, and SM_VENDOR_ID was included, and that the values in those fields are correct.


Topics about configuring risk exposure

Supplier risk exposure [page 52]

Understanding how risk exposure is calculated [page 53]

Understanding the risk exposure configuration interface [page 54]

How to specify the data sources used in risk exposure calculations [page 56]

How to set category weights and thresholds [page 57]

How to define values and risk exposures for fields [page 59]

How to inactivate risk incidents [page 60]

Supplier risk exposure

SAP Ariba Supplier Risk calculates potential risk scores for each supplier. A supplier's risk exposure is a numerical value from 1.00-100.00 that designates the supplier's level of risk, with 100.00 being the riskiest and 1.00 the least risky. Users who monitor supplier risk take risk exposure into consideration when making decisions about your company's relationships with suppliers. Risk exposure can be based on a number of different factors, including:

● News items about the supplier● Corporate information about the supplier● Geographical data on natural disasters● Compliance information about the supplier, including legal, regulatory, and environmental risks● Risk data associated with the supplier's country profile● Structured risk information based on the supplier's corporate hierarchy● Supplier relationship information such as internal ratings, spend volume, and strategic or preferred supplier

status

NoteRisk incidents (such as questionable adverse media alerts) that have been inactivated are not considered in a supplier's risk exposure. For information about inactivating risk incidents, see How to inactivate risk incidents [page 60].

Related Information

Understanding the risk exposure configuration interface [page 54]



Understanding how risk exposure is calculatedSAP Ariba Supplier Risk calculates risk exposure using two models, the incident model and the supplier model. A supplier's risk exposure is the higher of the two.

The incident model for risk exposure calculation

This model attempts to predict the supplier's risk exposure level based on the number and type of risk incidents that are associated with the supplier.

1. Each incident type is assigned a realm-specific probability equal to the number of times such an incident has occurred in a realm (The US, for example) divided by the total number of incidents that have occurred in the realm in the incident category.For example, if there are 2,000,000 incidents in the Financial category across all business entities monitored by Supplier Risk in the US, and 5,000 of those are bankruptcies, the relative probability assigned to bankruptcies in the US is 5,000/2,000,000, or .0025.

2. Each incident type is assigned an impact multiplier based on the severity of that incident type. For example, incidents that require evacuation are more likely to have an impact on supply chain than incidents that don't, so evaluations are assigned a higher impact multiplier.

3. The product of probability times impact generates a raw exposure value. To extend the bankruptcy example, if the impact multiplier for a bankruptcy were 3 and its probability in the US were .0025, the exposure value for a bankruptcy in the US would be .0075.

4. This raw exposure value is increased by 10% for incidents that are mentioned in more than one media source. For example, a bankruptcy mentioned in 100 media sources is probably more severe, and more likely to affect supply chain, than a bankruptcy mentioned in only 1 media source.

5. This adjusted exposure value is added to a supplier's exposure for each occurrence of that incident type that they have. For example, if a supplier has 3 bankruptcies in different locations in the US, and the exposure value for a bankruptcy is .0075, that supplier’s risk exposure for the Financial category would be increased by 3 x .0075, or .0225.

6. Because this calculation does not guarantee that risk exposures for each risk category are based on the same scale, we normalize each category's risk exposure into a 1-100 scale using linear interpolation. This makes the risk exposure for each category proportional to the risk exposures for all other risk categories.

The supplier model for risk exposure calculation

While the incident model attempts to predict exposure levels, the supplier model describes current risk exposure.

In addition to incident data, we receive contributing data directly from providers. Potential data categories are natural disasters, country risk, corporate data, your custom fields, and other data from licensed providers you may have activated:

Natural disasters Earthquakes, wildfires, hurricanes, etc.

Corporate data UCC filings, suits, liens, judgments, and bankruptcy

Setting up SAP Ariba Supplier RiskTopics about configuring risk exposure C O N F I D E N T I A L 53

Country risk drivers of / threats to national productivity and prosperity, including socio-economic, financial, environmental, an dother factors in 137 economies

These data sources provide data that impacts the following risk domains / risk categories:

Operational Natural disasters

Financial Bankruptcies, UCC filings; payment indicator, financial score, and credit score, if licensed

Environmental and social Country risk score

Regulatory and legal Liens, suits, judgments; sanctions and watchlists if licensed

1. For each contributing factor in a risk domain, the provider furnishes raw data (number of lawsuits, for example, or years since bankruptcy, etc).

2. This raw data is compared to the High, Medium, and Low thresholds to determine the intensitey of risk for that contributing factor, as follows:○ High risk is assigned a value of 5.○ Medium risk is assigned a value of 3.○ Low risk is assigned a value of 1.

3. The customer has assigned an impact value to each factor - perhaps you are more concerned about bankruptcies than lawsuits, for instance. The factors most important to the customer are assigned a customer priority value as follows:○ High priority is assigned a value of 5.○ Medium priority is assigned a value of 3.○ Low priority is assigned a value of 1.

4. For each factor in the risk domain, the risk value is multiplied by the customer priority. For example, if you consider bankruptcy to be of primary importance, and the supplier has a high risk of bankruptcy, this calculation would be 5x5=25.

5. The raw risk exposure value for each risk domain is calculated by multiplying together the scores for each contributing factor in that domain.

6. This will result in a number that is probably not between 1 and 100. Linear interpolation is used to generate a risk exposure value between 1 and 100 for the risk domain.

Understanding the risk exposure configuration interfaceThe risk exposure configuration interface enables you use to configure the risk exposure model to meet your company's policies and thresholds, to define any custom fields you use, and to maintain your supplier and supplier risk data.

Risk exposure configurations are now performed from the Configure risk exposure tab on the Supplier risk administration page. Here, Supplier Risk Manager users can adjust the risk exposure online, save a draft version, and activate the final version to customize risk exposure according to their risk appetite. Supplier risk users can view the current version of the risk exposure configuration.



The risk exposure configuration interface includes the following pages:

● the Configure risk exposure landing page● the configuration editor

The Configure risk exposure landing page

This page displays two tables:

● Risk exposure configuration history lists the different configuration versions you have created.

Column Desription

First column contains Action buttons for each row

Click the Action button in a row to act on the displayed version. Possible actions are○ Edit version

Active A checkmark in this column indicates that this version is the active risk exposure configuration - the values in this version currently affect risk exposure measurements.

Version number The version number.

Name The name of the version. You can use this name as a reminder of what is unique about this version, or how this version differs from previous versions, etc. For example, Added financial settings or Adjusted high settings.

Activated date The date when the version was activated.

Deactivated date The date, if any, when the version was deactivated.

Modified at The date when this version was most recently modified.

Last modified by The name of the person who most recently modified this version.

● Risk exposure configuration draft lists all drafts of the active configuration version.

Column Desription

Select Click the Action button in a row to act on the displayed version. Possible actions are○ Create new draft○ Delete draft○ Edit draft

Version number The version number of the draft.

Name The name of the draft, which matches the name of the active version in the previous list.

Modified at The date when this draft was most recently modified.

Last modified by The name of the person who most recently modified this draft.

The configuration editor

When you choose Create new version, Create new draft, Edit version, or Edit draft from an Actions menu on the landing page, the configuration editor opens, with the following tabs:


● The Data sources tab lets you specify which data sources contribute to risk exposure measurements.● The Category weights tab lets you set the weight of each risk category in the overall risk exposure calculation,

and specify what is considered a Low, Medium, or High exposure for each category.● The Field configurations tab lets you define values and risk exposures for standard and custom fields.● The Incident types tab lists all supported incident types. Incidents are created based on media, and are

contributing factors to all risk domains. This information is provided for reference only; no settings or changes can be made to these values.

● The Audit tab tracks changes made to the version of the configuration currently being viewed. It identifies the user who made each change, and includes the date and time of the change. This information is provided for reference only, and cannot be changed.

The configuration editor contains the following buttons on all tabs:

● Save saves your work.● Cancel exits the editor and returns to the Configure risk exposure landing page without saving your work.● Activate saves your work and makes the current version the active version.

To change the name of the version you are editing, click the pencil icon next to the current name, at the top of the screen.

How to specify the data sources used in risk exposure calculationsThis topic describes how to select the data sources that contribute to risk exposure measurements.

Prerequisites

You must have the Supplier Risk Manager group to select data sources.

Context

Risk score calculations can include data from the following sources:

Source Description

Global disasters Geographical data on natural disasters that can affect suppliers. This data source is enabled by default.

Country risk Risk data associated with the supplier's country. This data source is enabled by default.



Source Description

Incidents News items about suppliers. This data source is enabled by default.

Corporate information Corporate information such as years in business, years in business under the same owner, number of liens or bankruptcy fi-lings, and so on. This data source is enabled by default.

Watch lists and sanctions Third-party checks on regulatory and compliance violations including sanctions and watch-list monitoring, anti-corruption and bribery violations, regulatory and compliance violation reports, and watchlist and sanctions list alerts.

The Data sources tab lists the data sources available for selection. Selected sources contribute to risk exposure measurements, and unselected sources do not. Sources are categorized as follows:

● Default sources are available for all SAP Ariba Supplier Risk customers.● Licensed sources are risk data providers that become available for selection only after you sign a license with

them.

Follow these steps to specify which data sources contribute to risk exposure calculations:

Procedure

1. To enter the configuration editor, navigate to the Configure risk exposure tab on the Supplier risk administration page, then choose Create new version, Create new draft, Edit version, or Edit draft from an Actions menu on the landing page.

2. Click the Data sources tab.3. All default data sources are initially selected. Unselect those you wish to exclude. At least one data source must

remain selected.4. To save your work, click Save.5. Optional. To set this as the active configuration, click Activate.

How to set category weights and thresholdsThis topic describes how to set the relative weights for each risk category in the overal risk exposure measurement, and how to define what risk exposure levels are considered High, Medium, and Low in each category.

Prerequisites

You must have the Supplier Risk Manager group to set category weights and thresholds.


Context

Assigning weights to each risk category allows you to tailor risk score calculations to your company's priorities. For example, a pharmaceutical company might want to weight the Legal & regulatory category more heavily because of the particular ramifications of legal or regulatory issues for suppliers of pharmaceutical components.

On the Category weights tab, the Category weight settings section contains controls that allow you to specify the relative weight each risk category will have in your risk exposure measurements. The weight percentage for each risk category defines how much it contributes to the overall potential risk exposure calculation.

The Risk level settings section allows you to set minimum and maximum threshholds for each risk category. These thresholds determine what risk exposure levels are considered High, Medium, and Low.

Default risk exposure thresholds are:

Low 1.00-29.99

Medium 30.00-69.99

High 70.00-100.00

The Test your settings section allows you to enter risk exposure levels for a hypothetical supplier to see the resulting overall potential risk exposure and risk level that would be assigned to that supplier with those risk exposure levels. You can compare results based on your settings, the SAP Ariba default settings, and the current settings in your site.

Follow these steps to set category weights and thresholds:

Procedure


2. Open the Category weights tab.3. In the Category weight settings section, specify the relative weight of each risk category in one of the

following ways:

○ For each category, adjust the green slider left to reduce the category weight or right to increase the category weight.

○ For each category type a percentage weight in its Contribution to overall exposure (%) field. Total weigth must equal 100%.

NoteIf you want to completely remove a risk category from risk exposure calculations, set its weight to 0, making sure to adjust the weights of the other categories so that they add up to a total of 100%. You must also set the thresholds for the category you want to remove to 0.

The Contribution to overall exposure graph displays the relative weights visually.4. In the Risk level settings section, for each risk category, define what constitutes a Low exposure by entering

the desired exposure in the Low risk less than column. For each risk category, define what constitutes a High exposure by entering the desired exposure in the High risk more than column.



The Risk level distribution graph to the right displays exposure lower than the minimum as Low in blue, exposure between the two thresholds as Medium in yellow, and exposure above the maximum as High in red.

5. Optional. Test your settings in the Test your settings section by entering risk exposure levels for a hypothetical supplier.

6. Click Save to save your work.7. Optional. Click Activate to make this your active configuration.

How to define values and risk exposures for fieldsThis topic explains how to define values and risk exposures for standard and custom fields.

Prerequisites

You must have the Supplier Risk Manager group to edit standard or custom fields.

Context

On the Field configurations tab, you can define values and risk exposures for default and custom fields.

The Standard fields table lists the fields included in the original risk exposure settings provided for a default data source; they use a set of pre-defined values. You can edit the following standard fields:

Field Description

Risk Category The risk category.

Field type The data type of supported values for the field.

Field value The list of permissible values for the field, in a comma separated list. Each value in the list must conform to the type specified in Field type.

Weight Determines the emphasis for each field within the risk calculations for the category.

Threshold order Determines whether greater emphasis should be given to higher or lower risk exposures, based on the thresholds set in the Less than and Greater than fields.

● Riskier to safer means that High exposure levels have more impact, Medium exposure levels have medium impact, and Low exposure levels have low impact in exposure calculations.

● Safer to riskier (the default value) means that Low exposure levels have greater impact, Medium exposure levels have medium impact, and High exposure levels have lower impact in exposure calculations.

Less than Allows you to set the lower threshold. Values below this threshold are considerd Low for risk calculation purposes.

Greater than Allows you to set the upper threshold. Values above this threshold are considered High for risk calculation


Licensed fields available for risk exposure are displayed with default settings. The default settings can be changed by the customer.

Custom fields are not included from a default or licensed source. These fields are added by the customer. You can have up to 15 custom fields.

To configure a custom field, follow these steps:

NoteIf you configure custom fields, you must create a supplier input file. This file includes the suppliers and data elements that you defined in the configuration settings.

Procedure


2. Click the Field configurations tab.3. Click a checkbox in the Custom fields list and enter the custom field name in the Name field. This name can be

up to 25 characters long.

This field name will appear as a contributing factor on the risk exposure tile of the supplier profile under the risk category you assigned.

4. Fill in the remaining columns as per the column descriptions for standard fields, above.5. To save your work, click Save.6. Optional. To set this as the active configuration, click Activate.

How to inactivate risk incidents

Context

Risk incidents that have been submitted for feedback appear on the Adverse media feedback center list. A user with the Supplier Risk Manager role can inactivate or reactivate alerts from this list.

Procedure

1. Navigate to User settings and configuration Adverse media feedback center



2. Check the checkbox for any incident you wish to inactivate.3. Click Inactivate4. Optional. To reactivate incidents, check their checkboxes and click Activate.

Results

● Inactivated incidents are removed from consideration during risk exposure calculation. Incidents older than 6 months already don't count, so inactivating older incidents does not affect the risk exposure calculation.

● These incidents are removed from the Risk Incidents tab within the supplier profile and from other incident lists, but they remain visible in the Adverse media feedback center.


Topics about supplier enrichment

Workflow for UI for admin review of enriched supplier data [page 62]

How to flag suppliers for future enrichment review [page 62]

How to perform manual enrichment reviews [page 63]

How to explicitly trigger the automated enrichment process in SAP Ariba Supplier Risk [page 65]

Workflow for UI for admin review of enriched supplier dataThe end-to-end workflow for UI for admin review of enriched supplier data is a cycle beginning with the automated enrichment process, allowing users with the Supplier Risk Manager group to review supplier enrichment results, to change those results if desired, and to flag suppliers for future enrichment review.

1. SAP Ariba Supplier Risk automatically attempts to enrich suppliers by matching the initial buyer data about that supplier to suppliers in an external reference database, selecting the closest match as the candidate on which risk alerts will be provided.

2. A Supplier Risk Manager user may flag suppliers for enrichment review, in effect creating a queue of suppliers potentially visible to other Supplier Risk Manager users, for later processing. See How to flag suppliers for future enrichment review [page 62].

3. A Supplier Risk Manager user selects a number of suppliers for enrichment review. These might be suppliers previously flagged for review, but they do not have to be. See How to perform manual enrichment reviews [page 63]

4. The Supplier Risk Manager user views a table showing the candidates for each supplier, and decides whether to leave the current result or to specify a different candidate. See How to perform manual enrichment reviews [page 63]

5. When the enrichment process is complete, SAP Ariba Supplier Risk provides alerts for the specified candidates.

How to flag suppliers for future enrichment reviewThese instructions explain how to flag suppliers for enrichment review.



Prerequisites

Users must be in the Supplier Risk Manager group to flag suppliers for future enrichment review.

Context

You can mark suppliers To do for later enrichment review, as follows:

Procedure

1. Log in as a user with membership in the Supplier Risk Manager group, then navigate to the supplier list.2. On the supplier list, choose Enrichment administration from the dropdown to the left of the search field.3. Check the checkbox in the row for each supplier you wish to flag for enrichment review.4. To flag the selected suppliers for enrichment review, click Mark for review.

Results

All flagged suppliers are marked To do in the Selected for enrichment review column, visible to all Supplier Risk Manager users.

How to perform manual enrichment reviews

These instructions explain how to view which candidates, if any, have been selected for one or more selected suppliers based on the enrichment process, and how to modify those selections if desired.

Prerequisites

Users must be in the Supplier Risk Manager group to perform manual enrichment reviews.

Setting up SAP Ariba Supplier RiskTopics about supplier enrichment C O N F I D E N T I A L 63

Context

A user in the Supplier Risk Manager group can review the current enrichment selections and modify them, if desired, as follows:

Procedure

1. Log in as a user with membership in the Supplier Risk Manager group, then navigate to the supplier list.2. On the supplier list, choose Enrichment administration from the dropdown to the left of the search field.3. Check the checkbox in the row for each supplier you wish to review. You may select up to ten rows at a time; to

review more than ten suppliers, you must select them in multiple batches of ten or fewer suppliers.4. To begin reviewing the selected suppliers, click Enrichment administration.

The Enrichment review screen appears, displaying the first selected supplier, with the input record shaded gray and the candidate that was selected by the enrichment process, if any, highlighted in green. Some of the additional candidates are also displayed. You can use the scroll bar to view the rest.

NoteIf the displayed input information is incorrect or incomplete, it cannot be updated in this screen. It must be updated at the point of integration between SAP Ariba Supplier Risk and Rozwiązania SAP Ariba Supplier Management

5. You can either leave the current selection as it is, or you can choose a new candidate by clicking its column header.When deciding between multiple desirable candidates, best practice is as follows:1. Select a candidate that has associated incidents.2. If more than one candidate has incidents, choose the candidate with the highest score.3. If you still have multiple candidates, choose a headquarters location over a branch location.

NoteIt is possible that the input record will have data missing from required fields, and that none of the candidates will be desirable. In this case, you need to update the input record. This should be done at the beginning point of the integration, not as a file load to SAP Ariba Supplier Risk via Rozwiązania SAP Ariba Supplier Management file load.

If you select a new candidate, the new candidate is highlighted in green and the previously-selected candidate loses its hightlighting.

6. When you are satisfied with the candidate selected for the displayed supplier, you can view the next selected supplier by clicking the right-hand arrow near the top right corner of the Enrichment review screen. To return to a previous supplier, click the left-hand arrow.

7. Optional. You can undo your selection for the currently-displayed supplier by clicking Undo.8. Optional. If you decide not to activate your selections, you can dismiss the Enrichment review screen by

clicking Cancel, then click Yes in the Confirm cancel dialog.This dismisses all selections you have made, not just the currently-displayed supplier, and returns you to the supplier listing.



9. When you are satisfied with the candidates selected for all of the suppliers you chose in step 3, activate your selections by clicking Submit, then click Yes in the Confirm submission dialog.This activates your selections for all of the suppliers you chose in step 3.

NoteIn the event the re-enrichment cannot be processed, information will be displayed for the affected suppliers.

How to explicitly trigger the automated enrichment process in SAP Ariba Supplier RiskThese instructions explain how to manually trigger the automated enrichment process for selected suppliers.

Context

You can trigger the automated enrichment process for selected supplier, as follows:

Procedure

1. Log in as a user with membership in the Supplier Risk Manager group, then navigate to the supplier list.2. On the supplier list, choose Enrichment administration from the dropdown to the left of the search field.3. Check the checkbox in the row for each supplier you wish to review. You may select up to ten rows at a time; to

review more than ten suppliers, you must select them in multiple batches of ten or fewer suppliers.4. To run the automated enrichment process on the selected suppiers, click Enable auto enrichment.

Setting up SAP Ariba Supplier RiskTopics about supplier enrichment C O N F I D E N T I A L 65

How to register a third-party provider license

Context

In order to receive data from certain subscription-only providers, you need to set up a license with them independently and then register your license data in SAP Ariba Supplier Risk. Follow these steps to register a third-party provider license.

Procedure

1. Log in as a user with the Supplier risk manager group.

2. To find contact information for the desired provider, navigate to User settings and configuration 3rd party partner options , and in the Available providers area click the provider's View button.

3. Contact the provider you are interested in, and secure the necessary credentials.

NoteDifferent providers require different credentials. The individual provider can furnish the information required.

4. Once you have the necessary credentials, log in again as a user with the Supplier risk manager group.

5. Navigate to User settings and configuration 3rd party partner options , and in the Available providers area click the provider's View button.

6. Click the edit icon or click Request, then enter your credentials.7. To register, click Continue.


How to register a third-party provider license

How to map suppliers and ERP commodity codes for forced labor

To submit a supplier to a forced labor provider, you must first follow these instructions to set up ERP commodity code and supplier-commodity mappings.

Context

Follow these steps to set up ERP commodity code mappings.

Procedure

1. Log in to SAP Ariba Supplier Risk as an administrator user and navigate to Manage Core AdministrationSite Manager Data Import/Export .

2. On the Import tab, find the row for Import ERP Commodity to Commodity Mapping and click the Import button for that row.

3. In the Select Import Operation section, select the radio button for Load if this is the first time you are mapping commodity codes. If this is not the first time you are mapping commodity codes, choose Update Only instead.

4. If you have not already created the ERPCommodityCodeMap.csv file, see "Topics about importing ERP commodity code mappings" in the Common data import and administration guide for details about how to do so. Click Choose file and browse to the ERPCommodityCodeMap.csv file. Click Run. This maps your commodity codes.

5. Prepare a CSV file mapping vendors to each commodity they supply and the country where it is produced. For example, a vendor might supply lead pencils from China, LCD screens from Turkey, and ergonomic office chairs from the United States. Each of these mappings of vendor to commodity to country is a single row in the CSV. The CSV must have the following columns:

○ ERP_VENDOR_ID - the vendor's ERP vendor ID○ SOURCE_SYSTEM - the system from which the supplier was uploaded○ COMMODITY_CODE - the 8-digit commodity code for the commodity. If the code has fewer than 8 digits, the

mapping may fail○ DOMAIN - the commodity code domain. This value is always UNSPSC○ COUNTRY_ISO3 - ISO3-standard country code for the country where the commodity is produced

6. Navigate to User settings and configuration Import data Link to SM Admin7. From the Suppliers dropdown, choose Supplier commodity codes.8. Browse to the commodity mapping CSV you created in step 5 and click Import.

Setting up SAP Ariba Supplier RiskHow to map suppliers and ERP commodity codes for forced labor C O N F I D E N T I A L 67

Results

Once you complete the steps in this topic, after processing is complete within the system, your ERP codes and supplier mappings are live in the system, and you can submit suppliers for risk evaluation by a forced labor provider to which you subscribe.


How to map suppliers and ERP commodity codes for forced labor

How to make an ineligible supplier eligible for monitoring

If a supplier is incorrectly marked ineligible for monitoring, an administrator user can override that designation.

Prerequisites

You must be a member of the Supplier Risk Manager group to make an ineligible supplier eligible for monitoring.

Context

By default, all enriched suppliers are eligible for monitoring; by default unenriched suppliers are ineligible unless they conform to certain rules. For example, a supplier with no external ID, or whose supplier name contains forbidden characters is ineligible for monitoring by default.

To make a supplier that has been marked ineligible for monitoring eligible, follow these steps:

Procedure

1. Navigate to a supplier list that shows the ineligible supplier.2. In the Eligible for monitoring column for the desired supplier, click the red X.3. In the popup, confirm by clicking Yes.

Results

The red X in the supplier's Eligible for monitoring column is replaced with a green check mark, and the supplier is now eligible for monitoring.

Setting up SAP Ariba Supplier RiskHow to make an ineligible supplier eligible for monitoring C O N F I D E N T I A L 69

How to append external IDs to supplier profiles

Before you can submit a supplier to a provider for risk evauation, some providers require that the supplier profile include an external ID.

Prerequisites

● You must be a member of the Risk Manager group to append an external ID to a supplier profile.● You must obtain the external ID to be appended from the provider who requires it.

Context

NoteIf a supplier's existing external ID is incorrect, you can manually edit it. For instructions see How to edit a supplier's external ID [page 72].

To append an external ID to a supplier profile, follow these steps:

Procedure

1. A user with the Risk Manager group navigates to Supplier Risk Administration mport data SM Admin link

2. From the File Type dropdown, choose Risk domain supplier external IDs.3. To see the format of the required file, click Sample file. Based on this sample file, create a CSV import file that

maps each desired external ID to its matching supplier.

ERP Vendor ID Unique identifier for the supplier.

Source System The supplier administration system from which this supplier was imported.

Domain ID The risk domain. The only permissible value is Financial.

Provider name The name of the provider requiring an external ID.

External ID The external ID from the provider to be appended to the supplier profile.

4. To import the file you prepared, click Choose file to import then click Choose file. In the dialog, browse to your file and click Open.


How to append external IDs to supplier profiles

Results

All of the external IDs you included in the import file are now appended to the specified supplier profiles, and those suppliers are now available to submit for risk evaluation. For details, see "How to submit suppliers to a provider for risk evaluation" in Monitoring Supplier Risk.

Setting up SAP Ariba Supplier RiskHow to append external IDs to supplier profiles C O N F I D E N T I A L 71

How to edit a supplier's external ID

If a supplier's external ID is missing or incorrect, that can hinder SAP Ariba Supplier Risk providing third-party licensed data.

Prerequisites

● This task is relevant only to customers who have licensed a third-party provider that requires an external ID.● You must be a member of the Supplier risk manager group to peform this task.

Context

To modify a supplier's external ID, follow these steps:

Procedure

1. Log in to SAP Ariba Supplier Risk as a Supplier risk manager user, then navigate to the supplier profile of the target supplier.

2. Click the pencil icon next to the External ID field.3. Enter the new external ID in the field, then click the green check mark to confirm your modifications.

NoteYou must enter an external ID. It is not possible to leave the External ID field empty.

NoteTo exit without changing the external ID, click the red X.

Results

The new external ID is displayed. The change is recorded in the Supplier history table with the value ExternalID in the Supplier change type column.

Note● If you changed the external ID of a supplier that had previously been submitted for evaluation, at the

prescheduled time based on the initial submission the current data in the profile will be replaced with the



new information. Historical data will not be deleted. Clicking Submit for evaluation will not expedite the process.

● If the supplier had not previously been submitted for evaluation, you must submit the supplier for evaluation at this time. Click Submit for evaluation.

Setting up SAP Ariba Supplier RiskHow to edit a supplier's external ID C O N F I D E N T I A L 73

Topics about setting up engagement risk assessment projects

Control-based engagement risk assessment projects versus legacy engagement risk assessment projects [page 74]

Prerequisites for setting up control-based engagement risk assessments [page 76]

Optional features for control-based engagement risk assessments [page 77]

Workflow for setting up control-based engagement risk assessment projects [page 82]

Restrictions for control-based engagement risk assessment projects [page 85]

Topics about supplier management project template basics [page 86]

Topics about setting up control-based engagement risk assessment projects [page 102]

Topics about setting up modular supplier management questionnaires for control-based engagement risk assessments [page 139]

Topics about setting up issue management projects for engagement risk assessments [page 155]

Topics about setting up other project elements for engagement risk assessment and related projects [page 169]

Setting up legacy risk assessment projects [page 229]

Control-based engagement risk assessment projects versus legacy engagement risk assessment projectsControl-based engagement risk assessment projects based on the Supplier Risk Engagement Template are the next generation of engagement risk assessment functionality in SAP Ariba Supplier Risk and are designed to replace legacy engagement risk assessment projects based on the Engagement Risk Assessment Project Template.

NoteWhile SAP Ariba Supplier Risk will continue to support legacy engagement risk assessment projects based on the Supplier Engagement Risk Assessment Project Template until further notice, customers with subscriptions with order forms dated after the SAP Ariba October 2018 release who want to implement supplier engagement risk assessments must use the new Supplier Risk Engagement Template to implement control-based engagement risk assessments. There is no way to migrate data from legacy projects to control-based projects. Therefore, SAP Ariba strongly recommends that customers who want to use engagement risk assessment functionality and who are currently in the deployment phase adopt control-based risk assessments from the outset. No further innovations are planned for legacy engagement risk assessment projects.



Control-based engagement risk assessment projects include the following important enhancements to legacy engagement risk assessment project functionality:

● A two-part engagement request process that identified the applicable controls for the engagement: Control-based risk assessment projects use an initial business details questionnaire to capture engagement details such as the title, description, and applicable commodities, regions, and departments. The engagement's commodities, regions, and departments drive inclusion of specific questions in the second part of the request, the inherent risk screening questionnaire, and answers to those questions in turn trigger different risk controls.

● Automatic inclusion of engagement-level risk assessments for each applicable control: Each of your organization's risk controls is associated with at least one engagement-level risk assessment questionnaire. Specific answers to control triggers in the engagement request inherent risk questionnaire determine the controls required for the engagement, providing a completely template-driven process for making sure that engagements for specific commodities, regions, and departments, and with specific control triggers, automatically include the necessary control-based assessments. This combination of mechanisms provides a more dynamic and precise way of targeting assessments to specific engagement conditions than the recommendation mechanism in legacy engagement risk assessment projects and never requires you to rely on governance experts having to choose which assessments to send manually.

● Modular engagement-level risk assessments that ensure the timeliness of your information and streamline its collection: You define each engagement-level risk assessment in a separate modular supplier management questionnaire project template with its own approval flow and an optional expiration schedule. Mappings in master data connect these questionnaires to the control-based engagement risk assessment project. The data collected in the modular questionnaire is stored with it. You can choose to use a modular supplier management questionnaire only in engagement risk assessment projects or use it in other supplier management processes. You can also allow users to send it to suppliers as a standalone questionnaire. Regardless of how it is first sent to a supplier, once they fill it out and their answers are approved, those answers show wherever the questionnaire is used, reducing your need to require recipients to fill out repetitive questionnaires and increasing participation. Questionnaire expiration allows you to prompt recipients to update outdated information and, if they don't, triggers new reviews of previously effective controls in subsequent engagement risk assessments.

● Fast-tracking for suppliers with effective controls: Control-based engagement risk assessment projects extend and improve the display of previously filled out assessments in legacy engagement risk assessment projects by highlighting the suppliers who already have effective controls for the current new engagement or who are qualified for the engagement's commodities (and therefore have already undergone some level of vetting) during the engagement request process. Requesters can opt to save time by choosing a fast-tracked supplier for the engagement, or choose a less well-known supplier with a clear understanding of how many other controls still need to be assessed.

● Consistent and automatic user assignments for approvals and other tasks by commodity, region, and department: You can assign either project groups, user groups, or individual users as approvers, reviewers, task owners, and control decision makers. If you assign project groups, you can populate them using buyer category assignments (the user matrix), a feature that allows you to assign individual users to project groups based on the project's commodities, regions, and departments. Buyer category assignments allow you to dynamically add users to other project groups in control-based risk assessment projects to assign task ownership, add users to specific approval or review flows, or make domain experts the decision makers for risk controls in specific projects. Unlike team member rules, which you must defined in each individual project template, buyer category assignments can apply to all control-based risk assessment and modular supplier management projects in your site, allowing you to manage user assignments consistently for all affected projects from a single source of data.

● Option to conduct risk assessments for an engagement without specifying a supplier: You can enable an optional feature that allows requesters to submit engagement requests for control-based engagement risk

Setting up SAP Ariba Supplier RiskTopics about setting up engagement risk assessment projects C O N F I D E N T I A L 75

assessments without selecting a supplier. Depending on your organization's processes and requirements, a stakeholder can select the most appropriate supplier based on the information in the engagement request before assessments are sent or, if your organization wants to use control-based engagement risk assessments that are not specific to any one supplier and you have set up controls with only internal assessments, the engagement risk assessment project can proceed to completion with no supplier selected.

If you were previously using legacy engagement risk assessment projects, when SAP Ariba Customer Support enables the control-based engagement risk assessment project feature in your site, legacy project creation is automatically disabled and the Create Engagement Request menu action points to the engagement request questionnaires defined in the Supplier Risk Engagement Template instead. Data on existing legacy engagement risk assessment projects continues to be available in your site for reference, but there is no way to migrate it to control-based engagement risk assessment projects.

Related Information

About risk controls in SAP Ariba Supplier Risk [page 102]The control-based engagement risk assessment process [page 103]Prerequisites for setting up control-based engagement risk assessments [page 76]Workflow for setting up control-based engagement risk assessment projects [page 82]Restrictions for control-based engagement risk assessment projects [page 85]

Prerequisites for setting up control-based engagement risk assessmentsYour site's control-based engagement risk assessment process requires some important prerequisites involving site configuration and master data import.

Before you set up control-based engagement risk assessment projects and their associated modular supplier management and issue management projects, the following prerequisites must be in place:

● Review the optional features [page 77] that are available with control-based engagement risk assessment projects and decide which features you plan to use in your process.

● Make sure that SAP Ariba Support has:○ Set the parameters Application.ACM.PhaseAutoStart and

Application.ACM.PhaseAutoComplete to Yes in your site.○ Enabled the control-based supplier engagement risk assessment feature.○ (Optional) If you want to use department as well as commodity and region in in buyer category

assignments (the user matrix) [page 41], enabled the business unit supplier management matrix enhancement feature in your site.

○ (Optional) If you want to use the enhanced workflow for sending assessments, enabled that feature in your site.

○ Run the MigrateSRIssuesWorkspacesTask scheduled task to add the issue management project template to your site.



○ Run the MigrateSRNewProjectsTemplatesTask scheduled task to add the control-based engagement risk assessment project template to your site.

○ Run the MigrateSMQuestionnaireWorkspacesTask scheduled task to add modular supplier management project templates to your site.

● In addition to risk-related site master data, you must import commodity, region, and department site master data into your site. For more information about risk-related site master data, see Supplier risk data import. For more information about importing site-wide master data and managing internal users, see the Common data import and administration guide for Rozwiązania SAP Ariba Strategic Sourcing and Supplier Management.

● To successfully complete a control-based engagement risk assessment project with external assessments, the supplier must have a primary supplier contact with an email address to which invitations to fill out assessment questionnaires can be sent. You can import supplier contact data [page 31] for your suppliers.

● Your site must include internal users with the appropriate group membership [page 9] to work with control-based engagement risk assessment projects, modular supplier management projects, and issue management projects. For details on importing internal users as site master data and managing them manually in the Ariba Administrator, see Topics about managing users in the Common Data Import and Administration Guide.

● If you want to allow requesters to submit engagement requests with no supplier selected, enable the Application.SR.AllowOptionalSupplier site configuration parameter in Ariba Administrator under

Customization Manager Parameters . Members of the Customer Administrator group can enable this parameter. For details on managing self-service parameters in your site, see the Common data import and administration guide. If you want to use the enhanced workflow for sending assessments, you must enable this parameter in addition to requesting that SAP Ariba Support enable the enhanced workflow feature in your site.

● If you want to allow authorized users to edit engagement requests for which external assessments have already been sent, enable the Application.SR.Engagement.AllowAdvancedEditCancel site configuration parameter in Ariba Administrator under Customization Manager Parameters . Members of the Customer Administrator group can enable this parameter. For details on managing self-service parameters in your site, see the Common data import and administration guide.

Related Information

Workflow for setting up control-based engagement risk assessment projects [page 82]

Optional features for control-based engagement risk assessmentsSome features for control-based engagement risk assessment projects and associated issue management projects are not enabled by default, or are enabled by default but can be disabled if you do not want to use them.


Feature Description Enablement

Business unit supplier management matrix enhancement feature in your site

This feature allows you to use department as well as the default commodity and region when assigning users to project groups using buyer category assignments (the user matrix).

Contact SAP Ariba Support.

Ability to submit an engagement request with no supplier selected

This feature allows requesters to submit engagement requests with no supplier selected.

Enable the Application.SR.AllowOptionalSupplier site configuration parameter in Ariba Administrator under

Customization ManagerParameters .




Enhanced workflow for sending assessments

By default, control-based engagement risk assessments use the simple workflow for sending assessments. This workflow includes a number of limitations. When the task owner starts the To Do task to send assessment questionnaires, the project does not show which assessments are sent before the task is completed, and there is no way for the task owner to specify assessment recipients. The recipient for an external assessment questionnaire is always the primary contact for the engagement's supplier, and that primary contact must be defined before the send assessments To Do task starts. The recipient for an internal assessment questionnaire is always the default recipient. In an engagement with required external assessments, if the task owner sends assessments when no supplier is selected, or when there is no contact defined for the supplier, there is no way to send those assessments again after correcting the problems and the engagement becomes stuck.

With the advanced workflow for sending assessments, the owner of the send assessments To Do task can:

● Choose which assessments to send in multiple separate rounds.

● Send internal assessments before a supplier is selected for the engagement.

● Select the engagement supplier after sending internal assessments, even though the engagement request is no longer editable.

● Select which supplier contacts and internal recipients can receive individual assessments.

Contact SAP Ariba Support. This feature also requires that you enable the Application.SR.AllowOptionalSupplier site configuration parameter in Ariba Administrator under

Customization ManagerParameters .

Supplemental engagement questionnaires

Supplemental engagement questionnaires are additional survey documents in the engagement risk assessment project template that collect supplemental information about the engagement.

See Setting up supplemental engagement questionnaires [page 134]



ARI-4117: Ability to add engagement risk assessment project owners in the engagement request and on the engagement page

This feature adds menu items to the Action menu on the engagement page so that users with the appropriate permissions can change the explicit engagement project owner and add members to the Project Owner project group from there.

Enable the following self-service site configuration parameters:

● Application.SR.ChangeOwnerAction (to add the Change owner menu item)

● Application.SR.Engagement.ManageProjectTeamAction (to add the Manage project team menu item)

ARI-4942: Check for issues before marking a control as ineffective

This feature adds a check for associated issues every time a control decision maker marks a control as ineffective.

By default, this feature just shows control decision-makers a warning when they mark a control as ineffective and it does not have an associated issue. You can optionally require that a control must have at least one associated issue before a decision maker can mark it as ineffective.

Contact SAP Ariba Support.

To enable the issue requirement for ineffective controls, enable the self-service site configuration parameter Application.SR.Engagement.RequireIssueForIneefectiveControlDecision.

ARI-5556: Ability to edit or cancel engagement request at any time before final project approval

This feature allows editing and canceling of engagement requests in any phase before final project approval. If this is not enabled, engagement requests cannot be edited if assessments have been sent or if the request has been denied.

Enable the self-service site configuration parameter Application.SR.Engagement.AllowAdvancedEditCancel.

Best practice: When enabling this feature, review the Supplier Risk Engagement Project Template and make sure that the initial approval task is defined as a predecessor of the final approval task. Changes made during editing can cause the initial approval task to be reactivated, and this can happen to an engagement request for which the final approval task is already open. Setting this dependency ensures that the initial approval task is completed before the fi-nal approval task.




ARI-5959: Issue assignee team membership

By default, an issue assignee is automatically added to both the Assignee project group (if there is one defined in the project template) and the Project Owner group. This feature adds issue assignees only to the dedicated Assignee project group so that they do not have project owner permissions.

● Add a project group named Assignee, using that exact text, to the issue management project template.

● Enable the Application.SR.IssueManagement.AddAssigneeToAssigneeTeamOnly site configuration parameter in Ariba Administrator

under Customization Manager

Parameters .

ARI-6371: Enhancements to tasks in control-based engagement risk assessment projects

This feature includes the following task enhancements:

● Resubmit option for denied approval tasks on denied engagement requests and engagement risk assessment projects.

● The ability to save a supplemental engagement risk assessment project associated with a To Do task without submitting the questionnaire, keeping the To Do task active.

● Request more information option for approval tasks on supplemental engagement questionnaires.

This feature is enabled by default. To disable it, disable the self-service site configuration parameter Application.SR.Engagement.TaskEnhancementsForERProjects.

ARI-6383: New post-project approval phase for control-based engagement risk assessment projects

This feature introduces a new phase that starts automatically after the final approval of the engagement risk assessment project is complete.

Set up a new Post Project Approval phase [page 130].

ARI-6507: Registered suppliers filter for supplier selection in engagement requests

This feature shows only registered suppliers (suppliers with approved registration projects and a registration status of Registered) during supplier selection in the engagement request and the advanced send assessments workflow.

Enable the self-service site configuration parameter Application.SR.Engagement.ShowRegisteredSuppliersOnly [page 277].

ARI-6785: Role-based editability for issues in control-based engagement risk assessment projects

This feature uses access control settings to restrict who can edit specific sections of the issue form by either project role or membership in specific global user groups that define project permissions. It allows you to define an issue workflow where only the appropriate stakeholders fill out their designated sections of the issue form.

Enable the Application.SR.IssueManagement.UseTeamAccessForReadOnly site configuration parameter in Ariba

Administrator under Customization

Manager Parameters .



ARI-6917: Archiving for completed engagement risk assessment projects (advanced workflow)

The default project archiving workflow is available by default. The optional advanced archiving workflow includes an archiving request, the approval of which starts a workflow defined by the project template. While the workflow is in progress, archiving can be canceled. After archiving is approved, a user with the appropriate permissions archives the engagement project.

Enable the self-service site configuration parameter Application.SR.Engagement.EnableAdvancedArchiveWorkflow. [page 269]

Related Information

Prerequisites for setting up control-based engagement risk assessments [page 76]Workflow for setting up control-based engagement risk assessment projects [page 82]

Workflow for setting up control-based engagement risk assessment projectsThe following workflow describes the high-level steps for setting up control-based supplier engagement risk assessment projects in your site:

1. Make sure that all prerequisites are in place [page 76].2. Understand how various components work together to form the control-based engagement risk assessment

workflow [page 106], plan your risk controls, and plan the control-based engagement risk assessment process you want to implement.

NoteThe control-based engagement risk assessment process is designed to include at least one control with at least one questionnaire for every engagement request. Users can only finish creating an engagement request if it includes at least one control with an associated questionnaire. When planning your process, make sure that every request scenario includes at least one control and questionnaire.

3. Define and import the following data in your site:○ Contact data for your suppliers [page 31]. You cannot send external assessment questionnaires to a

supplier unless there is at least one contact defined for it.○ Modular supplier management questionnaire types. In general, questionnaire type has no direct effect on

control-based engagement risk assessment projects, but you must define at least one type before you can create any modular supplier management questionnaire project templates. You might find it useful to define a number of specific questionnaire types, especially if you also plan to allow users in your site to invite suppliers to fill out these questionnaires independently of control-based engagement risk assessments. If your engagement risk assessment process does not require specifying a supplier and only



uses internal assessments, you must define an SR Engagement Questionnaire Type questionnaire type to support that workflow. For details on this master data, see Supplier risk data import.

○ Engagement attribute mappings. This data includes unique IDs for the control trigger questions to show in the engagement request inherent risk screening questionnaire. You do not need to set up the engagement request inherent risk screening questionnaire before you define the engagement attribute mappings, but you must use the IDs you define in the engagement attribute mappings when you do set it up. For details on this master data, see Supplier risk data import.

○ Risk types. SAP Ariba recommends that you define risk types before you import risk control definition data. For details on this master data, see Supplier risk data import.

○ Risk control definitions. You must define risk controls before you import engagement control mappings. This data includes control decision makers and the IDs of the modular supplier management questionnaire project templates for the assessment questionnaires associated with each control. It also includes the control type, which specifies whether or not a control decision maker must re-review an effective control in other engagements risk assessments for the same supplier. You do not need to set up any of these project templates before you define your risk controls, but you must use these exact names when you do set them up. For details on this master data, see Supplier risk data import.

○ Engagement control mappings. This data includes the unique IDs for the control trigger questions in the engagement request inherent risk questionnaire and the answers that trigger the controls. You do not need to set up the engagement request inherent risk screening questionnaire before you define the engagement attribute mappings, but you must use the IDs and answers you define in the engagement attribute mappings when you do set it up. For details on this master data, see Supplier risk data import.

○ (Optional) Risk classifications. This data defines labels for levels of risk numbered 1-5. If you plan to show engagement inherent risk based on commodities or residual risk based on issue probability and severity, you must define risk classifications for your site. For details on this master data, see Supplier risk data import.

○ (Optional) Risk probabilities, risk severities, and residual risk mappings. Risk probability and severity data includes a unique ID and label for the levels of probability and severity that a user managing an issue management project can assign to the issue. Residual risk mappings assign a risk classification to each combination of severity and probability. If you plan to show engagement residual risk based on issue probability and severity, you must define risk probabilities and severities and residual risk mappings for your site. For details on this master data, see Supplier risk data import.

○ (Optional) Commodity risk classifications. This data maps specific commodity codes to risk classifications so that when a requester selects one or more mapped commodities in an engagement request, the highest mapped risk classification shows as the commodity-based inherent risk for the engagement. The Inherent Risk (Commodity) field only shows on the engagement page if you have imported commodity risk classifications. For details on this master data, see Supplier risk data import.

○ (Optional) User matrix (buyer category assignment) data [page 41]. This data can assign individual users to project groups in both control-based engagement risk assessment projects (for completing tasks and reviewing controls) and to individual modular supplier management questionnaire projects. You do not need to set up any of these project templates before you define buyer category assignments, but you must use the exact project group names in the user matrix data when you do set them up.

○ (Optional) Supplier qualification data [page 33]. This data specifies supplier qualification status for specific combinations of commodity, region, and department. In the supplier selection step of the engagement request, suppliers who are qualified for the engagement's commodities show as recommended in addition to suppliers with matching controls.

○ (Optional) Risk assessment status data [page 49]. This data includes risk assessment status, associated assessment name and supplier, source, and expiration date. This data import allows you to leverage existing assessment status data from a third-party system in control-based engagement risk assessment projects in SAP Ariba Supplier Risk.


○ (Optional) Risk control status data [page 47]. This data includes risk control status, associated supplier, associated commodities, and expiration date. This data import allows you to leverage existing control effectiveness data from a third-party system in control-based engagement risk assessment projects in SAP Ariba Supplier Risk so that you can fast-track suppliers with effective controls right away without needing to re-assess them and re-review controls in SAP Ariba Supplier Risk.

4. Create, set up, and publish modular supplier management questionnaire project templates [page 139] for the assessment questionnaires you plan to use in your control-based engagement risk assessment process. The names you specify for these project templates must match the assessment IDs in your risk control definition master data.

5. Edit and publishes your site's default Supplier Risk Engagement Template [page 111] to:○ Set up the business details questionnaire for the engagement request [page 114].○ Set up the inherent risk screening questionnaire for the engagement request [page 116], including setting

up screening questions that trigger controls and mapping them to the IDs you defined in your engagement attribute and control mapping master data. If you want to rate engagement inherent risk based on the score of the inherent risk screening questionnaire rather than engagement commodities, you can set up scoring [page 117] for it.

○ Modify the team to add project groups as necessary. If you plan to assign project groups as control decision makers, use the exact group names you specified in your risk control definition master data.

○ Add tasks and phases [page 130] to set up your control-based engagement risk assessment workflow, including approval flows for both the engagement request and the overall engagement risk assessment project.

6. Edit and publish your site's default issue management project template [page 157].7. Assign users to the appropriate user groups [page 9] to:

○ Grant them permission to work with control-based engagement risk assessment projects.○ If you are using buyer category assignments (user matrix) that include global user groups, add the users

who are stakeholders for different combinations of commodity, region, and departments to the assigned groups.

8. (Optional) Customize project and task notifications [page 219] for internal stakeholders and assessment invitations for external suppliers.

NoteThe order given here for importing master data in your site and setting up project templates for modular supplier management questionnaires and the Supplier Risk Engagement Template represents one workflow. You can also set up the project templates before importing master data. Typically, both steps include several iterations of your setup as you fine-tune both your data and your projects, and you do both in tandem.

Related Information

Control-based engagement risk assessment projects versus legacy engagement risk assessment projects [page 74]Restrictions for control-based engagement risk assessment projects [page 85]



Restrictions for control-based engagement risk assessment projectsCurrently, control-based engagement risk assessment projects do not include some important functionality. It is important to understand these restrictions when setting up your control-based engagement risk assessment workflow.

Control-based engagement risk assessment projects currently include the following restrictions:

● If your site currently uses legacy supplier engagement risk assessment projects, there is no way to migrate data from them to new control-based engagement risk assessment projects. You must re-create all legacy engagement-level risk assessments as new modular questionnaires and recipients must fill them out again. For this reason, if your site is currently in the process of implementing legacy risk assessment projects, SAP Ariba strongly recommends implementing control-based engagement risk assessment projects instead. If the order form for your SAP Ariba Supplier Risk subscription is dated after the SAP Ariba October 2018 release and you plan to use risk assessment projects, you must use control-based engagement risk assessment projects.

● Scoring is currently not currently supported in the modular supplier management questionnaires that are used as assessment questionnaires in control-based engagement risk assessment projects. You can score the inherent risk assessment questionnaire [page 117] in the engagement request to generate an inherent risk rating for the engagement, and use that inherent risk score to require risk controls and drive conditional approvals.

● The default, simple workflow for sending assessments has some significant restrictions. The enhanced workflow is optional and must be enabled separately in your site. For more information, see Optional features for control-based engagement risk assessments [page 77].

● The internal modular supplier management questionnaires that are used in control-based engagement risk assessment projects are designed to be used only once, in a single engagement risk assessment project. Recipients can only edit the questionnaire once, when filling it out and submitting it for the first time. They cannot update it after the initial submission. This restriction means that:○ If you define an approval task for the questionnaire, and the approver requests additional information, the

recipient cannot respond to the request. Since the approval task only moved back into approval once the recipient submits an update, the task becomes stuck, the questionnaire cannot be approved or denied, the related control review cannot start, and the engagement risk assessment project becomes stuck.

○ SAP Ariba currently recommends that template creators not set expiration schedules for internal questionnaires, since the recipient has no way to update a questionnaire after it expires and the questionnaire therefore remains stuck in Expired status.

For more details on template restrictions, see About modular supplier management questionnaires in control-based engagement risk assessment projects [page 140].

Related Information

Control-based engagement risk assessment projects versus legacy engagement risk assessment projects [page 74]Prerequisites for setting up control-based engagement risk assessments [page 76]Workflow for setting up control-based engagement risk assessment projects [page 82]The control-based engagement risk assessment process [page 103]


Topics about supplier management project template basics

Topics about editing and publishing project templates

How to edit a project template [page 86]

Using the project template Overview tab [page 87]

How to publish project templates [page 88]

How to revert a project template [page 89]

How to edit a project template

If a project template is published and you want to edit it, you must create a new, draft version of the template.

Prerequisites

To create or edit project templates, you must be a member of the global Template Creator group or the template project’s Templates Creator team. To create or edit a modular supplier management questionnaire project template, you must also be a member of the global SM Modular Questionnaire Manager group.

Context

To edit a template, the template status must be Draft. If you have published a template, you must create a new, draft version of the template to edit. When you are done editing a template, you must publish the template to make the changes affect subsequent projects created using the template.

Procedure

1. On the dashboard, click Manage Templates .2. Locate the template you want to edit. Click the template name and select Open.3. Navigate to the Overview tab of the template.

4. In the Properties pane, select Actions Template New Version .



You can modify and add items to the template.

Results

To make the changes available to users creating projects, you must publish the new version of the template.

The following table describes how editing different types of templates affects existing projects created from those templates.

Editing a template of this type... Affects existing projects created from the template in this way...

● Knowledge projects● Sourcing projects (both full

and quick, including events)● Contract requests● Supplier requests (both in

ternal and external)● Supplier qualifications● Supplier disqualifications● Preferred supplier manage

ment category status requests

Editing a template and publishing a new version does not affect any projects created with previous versions of the template. When a user creates a project, the system copies template data as it exists in the current template version. Any subsequent changes to the template have no effect on projects already in existence.

If a user creates a project from a template while you are editing it (you have created a new template version but have not published it), the system uses data from the last published version of the template.

● Contract workspaces Editing a template and publishing a new version does not affect any contract workspaces created with the previous version of the template by default. However, SAP Ariba Contracts has an option for updating a contract workspace created from an updated template when the project owner amends the contract workspace. If your site does not support upgrading template versions in contract workspaces, contact SAP Ariba Customer Support.

● SPM projects● Supplier workspaces

Editing a template and publishing a new version will update all of the projects created with the previous version of the template if you specify that you want to upgrade those projects before you publish the new version of the template.

● Supplier registrations● Modular supplier manage

ment questionnaires

Editing a template and publishing a new version does not affect any projects created with previous version of the template. In sites where the template upgrade feature is enabled, members of the SM Ops Administrator group can perform a separate template upgrade operation to upgrade eligible projects created from previous versions of the template to the current version.

Related Information

Topics about upgrading supplier management projects to the latest template version [page 90]

Using the project template Overview tab

The following table lists the tasks you can perform on a project template from the Overview tab. The available tasks can vary depending on the project type and the state of the template.


To do this... Choose...

View template details Actions Template View Details to view the name, description, version, status, base language, rank, owner, access control, conditions, tasks, and Documents tab.

View the template’s history Actions Template View History to view and search the past actions performed on the template, including the type of action and the user who performed the action.

Edit the template properties attributes

Actions Template Edit Properties to edit the template name, description, owner, process status, rank, access controls, and conditions.

Make the template available to use to create projects

Actions Template Publish .

Revert to the original version of a template

Actions Template Revert .

Export the template to a ZIP file Actions Template Export Template to export various template components to XML files in a ZIP file.

Create a new version of the template Actions Template New Version .

To deactivate a template so new projects cannot be created from it

Actions Template Inactivate . You can later Reactivate the template.

Display all tabs in a project Actions Display Full View . The newly-created template displays in compact view. The view you use when publishing the template determines the initial view users

see in projects created from the template. Choose Actions Display Compact View to return to the compact view.

NoteTemplates for SAP Ariba Sourcing quick projects only use compact view.

How to publish project templates

You must publish a project template to make it available to users who are creating projects.

Prerequisites




Context

When you publish a template, any previous active version of that template changes to archive status. You can create a new version from an archived version [page 89] as a way to recover a previous version as the current draft.

If the template contains team member rules file documents, those files are validated when you attempt to publish the template, and an error message tells you which team member rules files contain errors. You need to fix any validation errors in team member rules files before you can successfully publish a template.

NoteDocuments do not have versions within a particular version of a template. However, if you make changes to a document in a subsequent version of a template, the original version of the document is retained in the previous template version.

Procedure

Choose Actions Publish on the Overview tab.

NoteIf you cannot publish a supplier-related template because of errors in the team member rules file, you publish the file to see exact error messages.

Next Steps

After you have completed work on a template, you can export it to a ZIP file and import it for later use.

How to revert a project template

You can create a new version of a project template from the contents of a previous version.

Prerequisites



Context

You can create a new version of a project template from the contents of a previous version. The new version becomes the most recent version of the template. Creating a new version of an older version reverts the template to a previous version without losing its history.

Procedure

1. Open the project template. If the template state is not Active, go to the Properties area and select ActionsPublish .The template must be in the Active state before you can create a new version.

2. Open the previous version of the template you want to revert to.a. Open the Overview tab and scroll down to the Version History area.

b. Select the version that you want to use to create a new version, then select Action Open .

3. On the Overview tab of the previous template version, go to the Properties area and select Actions New Version .

SAP Ariba copies the contents of the older template version and creates a new version in the Draft state.

4. On the Overview tab of the new template version, go to the Properties area and select Actions Publish .

Results

All projects that were created with previous versions of the template continue to use the version from which they were created. When project owners amend the contract workspace created from the updated template, they can choose to use the updated version or the original version. If your site does not support upgrading template versions in contract workspaces, contact SAP Ariba Customer Support.

Topics about upgrading supplier management projects to the latest template version

About supplier management project template upgrade [page 91]

Which supplier management projects are eligible for template upgrade? [page 92]

How template upgrade affects supplier management projects [page 93]

How to upgrade supplier management projects to the latest template version [page 99]



About supplier management project template upgrade

Template upgrade enables you to automatically update existing projects with any changes you have made to the template from which they were created.

Currently, supplier registration projects and modular supplier management questionnaire projects are the only supplier management projects that support template upgrade. Both of these project types support ongoing updates to questionnaires. With registration projects, questionnaires are open to updates unless the registration is denied or a questionnaire update is currently in approval. With modular supplier management questionnaire projects, you must check the Always open? rule in the template questionnaire survey document to enable updates.

These projects remain open so that respondents can edit and resubmit questionnaires at any time after the initial questionnaire is approved, including updating them to answer additional questions added in a template upgrade. However, even if the project is otherwise closed, template upgrade allows recipients to revise their responses to questionnaires and restarts any approval tasks associated with them on a one-time basis. This one-time upgrade-related update ensures that questionnaire data and approvals are consistent and match your current processes regardless of when a recipient filled out the questionnaire.

Template upgrade is a version-based process, meaning that you upgrade all of the eligible projects on a previous version of the template to the current published version in one upgrade operation, and all of the eligible projects on a different previous version of the template to the current published version in a separate upgrade operation. For supplier registration and external (supplier-facing) modular questionnaire templates, upgrade operations include a notification option that allows you to alert suppliers to changes that affect them. Internal users do not receive notifications of template upgrades.

Safeguards ensure that you cannot upgrade projects with active tasks to prevent them from being disrupted by template changes while they are in progress. For a given previous version of the template, typically some number of projects fewer than the total number created from that version are eligible for upgrade at a given time due to task activity in some of the projects. Therefore, you typically perform an upgrade for a specific version several times over a period of time until you have finally upgraded all of the projects to that version.

Template upgrade always upgrades projects directly to the current published version of the template. It is possible to have some projects in your site that are multiple version behind the current version of the template because they were not eligible for upgrade to previous versions when they were current. For example, if your current version is 6, you might have a project in version 3 that was not eligible for upgrade to version 4 or 5 when they were current, and is only now eligible for upgrade. In this case, the project is upgraded directly from version 3 to version 6.

The template upgrade operation automatically creates new projects and copies the data from the previous projects, which it archives. This mechanism means that:

● The History tab in the advanced view of each upgraded project logs the template upgrade with an entry labeled Upgraded to a new version of template. It does not, however, show specific details about which elements of the project were modified during the upgrade.

● The Version History tab in advanced view project details shows the upgraded project as the original version, and does not show previous versions. Note that to see the advanced view of a supplier management, you must be a project owner or a member of the SM Ops Administrator group.

● Previous versions of questionnaires submitted before upgrade are archived along with the previous version of the project. Supplier registration and modular supplier management questionnaires both support questionnaire version comparison. However, after template upgrade, the version of the questionnaire that was present at upgrade becomes version 1. Users can compare that version with subsequent updates submitted after upgrade, but can no longer use version comparison to see previous older versions from before the upgrade.


NoteIf your site uses Supplier Performance Management (SPM) projects, those projects also support template upgrade, but they use a different upgrade process with different functionality. See the Project Template Guide for details on upgrading SPM projects.

Related Information

Which supplier management projects are eligible for template upgrade? [page 92]How template upgrade affects supplier management projects [page 93]How to upgrade supplier management projects to the latest template version [page 99]

Which supplier management projects are eligible for template upgrade?

In general, a supplier registration or modular supplier management questionnaire project is only eligible for template upgrade if none of its tasks are currently active.

More specifically, a supplier registration or modular supplier management questionnaire project is eligible for upgrade if it meets the following conditions:

● The supplier is not deactivated. Suppliers may be deactivated, which disables the ability for them to receive upgraded templates. All active suppliers will continue to receive template upgrades.

● The project exists. For supplier registration projects, the project exists if the supplier has been invited to register either automatically, manually, or through mass invitation, or if the supplier has been migrated with supplier profile questionnaire data. For modular supplier management questionnaire projects, the project exists if the questionnaire has been sent to a recipient.

● None of the project's tasks has started or all of its tasks have been completed. For projects that allow updates and have tasks in both new and update phases, this means that either none of the tasks in either phase have started; that all of the tasks in the new phase have been completed but none of the tasks in the update phase have started; or that all of the tasks in both phases have been completed.

The following table describes upgrade eligibility by project status:

Upgrade eligibility Registration status Modular questionnaire status

Always eligible for template upgrade ● Invited● In Registration● Registration Denied

● Not Responded● Denied● Expiring● Expired

Never eligible for template upgrade ● Pending Approval● Pending Resubmit

● Pending Submission● Pending Approval



Upgrade eligibility Registration status Modular questionnaire status

Eligible for template upgrade only if an update is not in approval

● Registered ● Approved

Regardless of project status, a project is never eligible for template upgrade if one of its approval tasks is in approval.

Note that denied projects show as eligible for upgrade. However, respondents cannot update their questionnaires as they can for approved projects that are upgraded.

Related Information

About supplier management project template upgrade [page 91]How template upgrade affects supplier management projects [page 93]How to upgrade supplier management projects to the latest template version [page 99]

How template upgrade affects supplier management projects

Template upgrades can affect questionnaires, tasks, phases, teams, conditions, and project attributes in supplier registration and modular supplier management questionnaire projects.

Template upgrade creates a new supplier registration or modular supplier management questionnaire project based on the current published version of the template and copies the data from the previous project to it. This new, upgraded project becomes the only visible version of the project in your site; it is displayed in the relevant area of the supplier's 360° profile and in search results for projects of that type. Links in invitation emails to suppliers automatically point to the new, upgraded project's questionnaires, and suppliers see the new, upgraded questionnaires when filling out or updating them. The previous project is archived but is no longer visible. The new, upgraded project is treated as an updated version of the previous project.

Even if the project template is not configured to allow updates, upgrading registration projects with Registered status or modular supplier management questionnaire projects with Approved status automatically reopens them and restarts their tasks one time so that suppliers and internal users can update their questionnaires due to the upgrade. If the template does not allow updates, any updates made due to the upgrade are processed using the workflow for new registrations or questionnaires. If the template does allow updates, any updates made due to the upgrade are processed using the workflow for registration or questionnaire updates. In both cases, the updates from suppliers and internal users are processed using the tasks defined in the current published version of the template.

Template upgrade updates projects in Denied status. However, in this case, the projects do not reopen, and suppliers and internal users cannot update answers. This behavior preserves the original answers that triggered the denial.

Template upgrade also adds the Keep questionnaire reopened indefinitely setting to projects you upgrade.

Questionnaires in supplier management project template upgrade [page 94]

Tasks in supplier management project template upgrades [page 96]


Phases in supplier management project template upgrades [page 97]

Teams in supplier management project template upgrades [page 98]

Project attributes and project-level conditions in supplier management project template upgrades [page 99]

Related Information

About supplier management project template upgrade [page 91]Which supplier management projects are eligible for template upgrade? [page 92]How to upgrade supplier management projects to the latest template version [page 99]

Questionnaires in supplier management project template upgrade

Supplier management template upgrade can modify questionnaire survey documents and their content.

Supplier registration projects support multiple internal and external (supplier-facing) questionnaires, and template upgrade can add or remove questionnaires from a project in some cases. Modular supplier management project support only one external (supplier-facing) questionnaire.

The following table describes how template upgrade modifies questionnaire survey documents and their content in projects that are eligible for template upgrade:

If you modify this in the template... Template upgrade makes this change in upgraded projects...

Add a new external (supplier-facing) questionnaire survey document to a registration project template

None. Just as a user cannot manually send a supplier additional registration questionnaires after the initial invitation, template upgrade cannot add questionnaires to an existing registration project post-invitation.

Add a new internal questionnaire survey document to a registration project template

Adds the internal questionnaire.

Remove an internal or external questionnaire survey document in a registration project template

Removes the questionnaire. The questionnaire and its answers are retained in the previous, archived versions of those projects.




Adds, removes, or modifies a question or other piece of content in a questionnaire

Adds, removes, or modifies the question or other piece of content in the questionnaire. If the content triggers a visibility or editability condition, the change affects those pieces of content triggered by the condition. For example, if a new question includes a visibility condition, its addition might hide another piece of content that was previously always visible.

NoteIf the new version of the template removes a question that is mapped to a field in the vendor database, the upgrade removes the question from the questionnaire, but any previous answers stored in the mapped database field remain after upgrade.

Adds, removes, or modifies a visibility or editability condition Adds, removes, or modifies the condition.

NotePerforming a template upgrade will not add the Keep questionnaire reopened indefinitely setting to existing projects. The setting will appear in new projects.

For both internal and external (supplier-facing) questionnaires, if a supplier or internal user has not yet opened the questionnaire before the template upgrade, they see the updated questionnaire when they first open it. If they have opened the questionnaire before upgrade and are in the process of filling it out when the upgrade occurs, the questionnaire loads the changes and they fill out the updated questionnaire before submitting it.

If an internal questionnaire is approved before the template upgrade, internal users see the updated questionnaire the next time they open it (for example, to revise their responses). If an external (supplier-facing) questionnaire is approved before the template upgrade, the supplier sees the updated questionnaire the next time they open it and click Revise Response; simply opening the approved questionnaire does not show the updates.

The notify option allows customer administrators to alert suppliers to update external questionnaires after an upgrade. There is no notification for internal questionnaires.

Related Information

Tasks in supplier management project template upgrades [page 96]Phases in supplier management project template upgrades [page 97]Project attributes and project-level conditions in supplier management project template upgrades [page 99]How template upgrade affects supplier management projects [page 93]Which supplier management projects are eligible for template upgrade? [page 92]About supplier management project template upgrade [page 91]How to upgrade supplier management projects to the latest template version [page 99]


Tasks in supplier management project template upgrades

Supplier management project template upgrade can add, remove, or modify tasks in supplier registration and modular supplier management questionnaire projects.

A supplier registration or modular supplier management project is only eligible for template upgrade [page 92] if none of its tasks have started or all of its tasks have been completed.

For eligible projects that use new and update phases, template upgrade only modifies the tasks in the new phase in projects where none of the tasks in the new phase have started yet. Once all of the tasks in the new phase have been completed, template upgrade only modifies tasks in the update phase. It does not modify tasks in the new phase, even if those tasks have been modified in the new version of the template, since that phase is a one-time process and any updates that suppliers or internal users make to the project's questionnaires are handled by the tasks in the update phase.

If the project template does not use new and update phases, project tasks are modified during upgrade and restart after upgrade so that the respondent can make one-time updates.

The following table describes how template upgrade modifies tasks in eligible projects:

If you modify this in the template... In this phase...Template upgrade makes this change in upgraded projects...

Add a new approval or To Do task on a new external (supplier-facing) registration questionnaire survey document.

Applicable only to registration projects, which support multiple questionnaires.

No phase (if your project does not use them), new phase, or update phase

None. Since a new questionnaire cannot be added to an upgraded project, the associated task is not added either.

Add, remove, or modify an approval or To Do task on an existing external (supplier-facing) questionnaire survey document.

New phase Adds, removes, or modifies the task in projects that include that questionnaire and have not yet started the new phase. Makes no change in projects that do not include that questionnaire or that have already completed the new phase.

No phase or update phase Adds, removes or modifies the task in all projects that include that questionnaire. Makes no change in projects that do not include that questionnaire.

Add a new approval or To Do task on a new internal registration questionnaire survey document.

Applicable only to registration projects, which support multiple questionnaires.

New phase Adds the task to projects that have not yet started the new phase. Makes no change in projects that have already completed the new phase.

No phase or update phase Adds the task to all upgraded projects.



If you modify this in the template... In this phase...Template upgrade makes this change in upgraded projects...

Adds, removes, or modifies an approval or To Do task on an existing internal questionnaire survey document.

New phase Adds, removes, or modifies the task in projects that have not yet started the new phase. Makes no change in projects that have already completed the new phase.

No phase or update phase Adds, removes, or modifies the task in all upgraded projects.

Adds, removes, or modifies a To Do task (not associated with a questionnaire) in the template.

New phase Adds, removes, or modifies the task in projects that have not yet started the new phase. Makes no change in projects that have already completed the new phase.

No phase or update phase Adds, removes, or modifies the task in all upgraded projects.

Related Information

Questionnaires in supplier management project template upgrade [page 94]Phases in supplier management project template upgrades [page 97]Project attributes and project-level conditions in supplier management project template upgrades [page 99]About supplier management project template upgrade [page 91]Which supplier management projects are eligible for template upgrade? [page 92]How to upgrade supplier management projects to the latest template version [page 99]

Phases in supplier management project template upgrades

Supplier management project template upgrade can add, remove, or modify phases in supplier registration and modular supplier management questionnaire projects.

If you add new and update phases to a supplier registration or modular supplier management questionnaire project template, during upgrade:

● The phases are added to eligible projects.● Any tasks from the previous version that you moved into the phases in the template are moved to the same

locations in eligible projects if they are included in the update. For example, if you move an approval task for an external (supplier-facing) registration questionnaire to the new registration phase, and that questionnaire was sent to a supplier who has just been invited to a new registration, it is moved to the new registration phase in the upgraded project. However, if the questionnaire was not sent to the supplier, or if the supplier had already completed a new registration, its task is not included in the upgrade at all.


Related Information

Questionnaires in supplier management project template upgrade [page 94]Tasks in supplier management project template upgrades [page 96]Project attributes and project-level conditions in supplier management project template upgrades [page 99]About supplier management project template upgrade [page 91]Which supplier management projects are eligible for template upgrade? [page 92]How to upgrade supplier management projects to the latest template version [page 99]Teams in supplier management project template upgrades [page 98]How template upgrade affects supplier management projects [page 93]

Teams in supplier management project template upgrades

Supplier management project template upgrade can add, remove, or modify project teams in supplier registration and modular supplier management questionnaire projects.

The following table describes how template upgrade modifies teams in supplier registration and modular supplier management questionnaire projects:


Add a new project group Adds the new group.

Add a new project group member or role Adds the new project group member or role.

Remove a project group Removes the group only if they do not have any tasks assigned to them. If a project group has one or more tasks assigned to it in a project, template upgrade does not remove it.

Remove a project group member or role Removes the project group member or role.

Modify a project owner Modifies membership in the Project Owner group, if applicable, in sites that do not use buyer category assignments (team member rules) to assign membership automatically.

Does not modify the explicit project owner, which remains the user who created the project.

Related Information

Questionnaires in supplier management project template upgrade [page 94]Tasks in supplier management project template upgrades [page 96]Phases in supplier management project template upgrades [page 97]Project attributes and project-level conditions in supplier management project template upgrades [page 99]About supplier management project template upgrade [page 91]



Which supplier management projects are eligible for template upgrade? [page 92]How to upgrade supplier management projects to the latest template version [page 99]

Project attributes and project-level conditions in supplier management project template upgrades

Supplier management project template upgrade can add, remove, or modify project attributes and project-level conditions in supplier registration and modular supplier management questionnaire projects.

Template upgrade applies changes to project-level conditions to eligible projects. It adds, removes, or modifies conditions and modifies project content depending on those changes. For example, if you a add project-level condition for legacy suppliers to a supplier registration project template and use it to hide an existing To Do task, upgraded projects for legacy suppliers no longer show that task.

Template upgrade also applies changes to the project attributes defined on the Overview tab of the project template, such as commodity, region, department, and questionnaire type for modular supplier management questionnaire project templates.

Related Information

Questionnaires in supplier management project template upgrade [page 94]Tasks in supplier management project template upgrades [page 96]Phases in supplier management project template upgrades [page 97]Teams in supplier management project template upgrades [page 98]About supplier management project template upgrade [page 91]Which supplier management projects are eligible for template upgrade? [page 92]How template upgrade affects supplier management projects [page 93]How to upgrade supplier management projects to the latest template version [page 99]

How to upgrade supplier management projects to the latest template version

Upgrading eligible supplier registration or modular supplier management questionnaire projects from a previous template version to the currently published version allows you to update them with all of the current template settings.

Prerequisites

To upgrade supplier management projects to the latest template version, you must be a member of the SM Ops Administrator group.


Template upgrade is only available for supplier registration and modular supplier management questionnaire projects. Those projects must be eligible for upgrade [page 92].

Template upgrade for supplier registration projects is available by default. Template upgrade for modular supplier management projects must be enabled in your site.

Context

Template upgrade of registration and external (supplier-facing) modular questionnaire projects includes an option that allows you to notify the primary supplier contact for each supplier with a project included in that upgrade to let them know about changes that might need their attention. If you use the notification option, you can insert a specific message into these notifications to provide details that the supplier might need to know about the upgrade.

For supplier registration projects, which support multiple external and internal questionnaires, if the previous version of the template included more than one external (supplier-facing) questionnaire, the upgrade sends a separate notification for each questionnaire sent to the supplier. The notification references the questionnaire name, but otherwise uses the same text for all of the external questionnaires included in the upgrade.

TipFor registration project template upgrades, since the upgrade generates notifications for all of the registration project's questionnaires, regardless of whether not they are affected by the upgrade, it's a good idea to reference questionnaire names in your message when providing details about specific changes to specific questionnaires.

Before starting the upgrade operation, you choose the type and title of the template whose projects you want to upgrade. You only have one supplier registration project template in your site, so when you choose the registration template for the upgrade, there is only one title option and it is the default selection. However, you can have multiple modular supplier management questionnaire project templates in your site, and you must specify the title of the template to see the projects that are eligible for upgrade.

Procedure

1. On the dashboard, choose Manage SM Administration .2. In the left-hand navigation pane, click Template upgrade.3. On the Project template dropdown menu, choose the type of the template for the upgrade.4. If you chose Modular questionnaire as the template type, on the Template title dropdown menu, choose the

name of the modular questionnaire template for the upgrade.5. Click Find projects

The Start upgrade tab displays a table with a row for each previous template version that is in use by at least one project. Each row shows the total number of projects in the site that are still using that template version and the number of those projects that are currently eligible for upgrade.

6. Locate the template version that you want to upgrade to the currently published version.



7. (Optional) To notify primary supplier contacts that there are changes to their projects' questionnaires that require their attention, check Notify.

8. Click Upgrade.9. If you checked the Notify option, enter a message to insert into the notification to supplier contacts informing

them of template changes that affect them.10. Click OK to confirm the upgrade.11. Click the Upgrade status tab to monitor the progress of the upgrade and download status summary

information. The status summary includes the SM vendor IDs of the suppliers associated with the upgraded projects.

Results

All of the eligible supplier projects using that version of the template are upgraded to the currently published version. See How template upgrade affects supplier management projects [page 93] for details on how upgrades modify project questionnaires, tasks, phases, teams, and conditions.

The upgrade might result in respondents revising responses to previously submitted or approved questionnaires.

In projects that do not allow updates, respondents suppliers normally cannot revise previously submitted questionnaires. However, if the template upgrade modifies the content of a questionnaire in an approved project, the upgrade operation reopens the questionnaire so that the respondent can revise their responses and resubmit them, and restarts the associated tasks once the revisions are submitted, for a one-time update.

In projects that do allow updates, respondents can update questionnaires at any time as long as any previous updates are fully approved. The update process is defined in the project template's update phase.

Denied projects are also upgraded, but their primary supplier contacts are not included in any notifications and respondents cannot update their questionnaires.

Next Steps

As other projects using the same previous version of the template become eligible for upgrade, usually by being finally approved or denied, you can repeat these steps to upgrade them to the current version of the template until all projects on that previous version are upgraded.

Related Information

About supplier management project template upgrade [page 91]Which supplier management projects are eligible for template upgrade? [page 92]How template upgrade affects supplier management projects [page 93]


Topics about setting up control-based engagement risk assessment projects

About risk controls in SAP Ariba Supplier Risk [page 102]

The control-based engagement risk assessment process [page 103]

Understanding the components of the control-based risk assessment process [page 106]

About the supplier risk engagement project template for control-based engagement risk assessment projects [page 111]

Restrictions, requirements, and helpful hints for setting up the supplier risk engagement project template for control-based engagement risk assessments [page 112]

Setting up the business details questionnaire in the engagement request [page 114]

Setting up the inherent risk screening questionnaire in the engagement request [page 116]

Topics about setting up inherent risk ratings for control-based engagement risk assessment projects [page 117]

Setting up phases and tasks for control-based engagement risk assessment projects [page 130]

Setting up supplemental engagement questionnaires [page 134]

Supplier field mappings for control-based supplier engagement risk assessment projects [page 136]

About risk controls in SAP Ariba Supplier Risk

Risk controls define the standards and methods your organization uses to control risk. In SAP Ariba Supplier Risk, risk controls determine important parts of the process that your organization uses to assess the manageability or acceptability of the risk of engaging with different suppliers and third parties.

The commodities, regions, and departments involved in an engagement help determine its applicable controls. Depending on your organization's setup, the engagement's materiality, criticality, and potential for outsourcing might also play a part in determining its applicable controls. Controls can be relatively general (for example, a control for IT engagements in all regions for all departments) or specific (for example, a control for critical IT engagements in Germany that involve the IT department and require physical access to a data center). In control-based engagement risk assessment projects, controls include several important components that drive the risk assessment process:

● Required assessments: Controls always include at least one questionnaire that is designed to assess whether or not the potential risk is manageable or acceptable. One control can include multiple questionnaires; conversely, multiple controls can use one questionnaire. For example, your organization might have different controls for HR services in different regions. Each control might include the same general questionnaire to assess adherence to your general HR standards and practices, and different questionnaires for each region to assess compliance with local regulations.

● Control effectiveness reviews: Controls require review by a designated decision maker. During the review, the decision maker reviews the answers to the associated assessment questionnaires and decides whether or not the control is effective for the current engagement. Decision makers are assigned to specific controls and have the domain expertise necessary to render these judgments.



● Requirements for new control reviews based on control types: Each control has a type that determines how frequently, and in what circumstances, it requires review in a specific engagement risk assessment project where a specific supplier is selected. These types allow your organization to maintain strict controls for some kinds of engagements and looser controls for others, and to fast-track suppliers that already have one or more effective controls in new engagements with similar characteristics. The three types of controls are:○ Vendor-level: a control that applies generally to a supplier. If a decision maker marks a vendor control as

effective for a supplier, it continues to be effective for that supplier in subsequent engagement risk assessment projects without additional review. A decision maker only needs to re-review a vendor control for the same supplier if it was previously marked effective but one of its underlying questionnaires is expiring or has expired.

○ Engagement-level: a control that applies to a specific, individual engagement. A decision maker always reviews an engagement-level control in every engagement risk assessment project.

○ Service-level: a control that applies to a supplier for specific commodities or services. Decision makers mark a service-level control as effective or ineffective for each individual service in the engagement. If a decision maker marks control as effective for a service, it continues to be effective in subsequent engagement risk assessment projects for the same supplier without additional review. A decision maker needs to re-review a service-level control for the same supplier-service combination either if it was previously marked effective but one of its underlying questionnaires is expiring or expired or if the current engagement risk assessment project includes at least one different service to which the control applies. In the latter case, the decision maker only reviews the new services. For example, if a control applies to services A, B, and C, and decision maker marked it as effective for services A and B in a previous engagement, and there is a new engagement risk assessment project for the same supplier with services B and C, the decision maker reviews C for the new engagement.

Multiple active engagement risk assessment projects can require the same control, and decision makers can review a shared control in any engagement where it is pending. The other projects that share the control then update to show the resulting effective or ineffective status.If your site is set up to support engagement risk assessment projects with no supplier selected, all applicable controls require a new review in each engagement risk assessment project that does not specify a supplier regardless of the control type.

Related Information


The control-based engagement risk assessment process

Control-based engagement risk assessment projects provide a process for evaluating the risk or desirability of engaging with a supplier or other third-party and establishing the potential risk of that engagement using your organization's standard risk controls. Your organization can then determine whether to undertake the engagement, and if so, what degree of monitoring might be necessary.

Some engagements might not need a risk assessment. Others, such as consulting engagements that involve access to confidential information or company networks or facilities, or outsourcing engagements that involve goods and services that are critical to your organization's operations, might require stringent risk assessments.


A control-based engagement risk assessment project involves five required stages and can involve six to seven stages

1. Requesting the engagement and identifying the applicable risk controls: A user in your company who wants to engage with a supplier or other third party creates an engagement request. The engagement request includes the following four steps:1. Business Details, where the requester fills out a business details questionnaire to provide basic

information such as the request title and the commodities, regions, and departments involved. The business details questionnaire might also include questions about the criticality, materiality, or outsourcing impact of the engagement.

2. Inherent Risk Screening, where the requester fills out a screening questionnaire that determines which risk controls and assessment questionnaires are required for assessing the engagement's risk. The answers to questions in the business details questionnaire determine some of the questions included in the inherent risk screening, and the answers to those conditional questions in the inherent risk screening determine the required risk controls.

3. Select supplier, where the requester sees any active suppliers who already have matching controls for the engagement and selects the engagement supplier. This step recommends active suppliers that have matching controls for all of the engagement's required controls or that are qualified for all of the engagement's commodities, and shows active suppliers that have at least 1 matching control. The control information includes the number of matching controls that are pending review in other, earlier control-based engagement risk assessments; that are effective for the current engagement request; and that have previously been marked ineffective and require a new review. The requester can select the supplier with the largest number of effective controls to fast-track the process of risk assessment for the current engagement, select a supplier with at least some effective or pending controls knowing that they are already partially assessed; or search for and select a supplier with no effective or pending controls with the understanding that new reviews for all matching controls might take more time.In sites where requesters can submit an engagement request with no supplier selected, this step is optional. In that case, depending on your organization's risk assessment process, you or someone else in your organization might edit the engagement request at a later point to add a supplier, the person responsible for sending assessment questionnaires might select the supplier before sending external assessments, or the engagement risk assessment project might proceed to completion with no supplier selected, using only internal assessment questionnaires.

4. Review request, where the requester reviews the information they have provided before submitting the request for approval.

Approvers review the submitted engagement request and approve or deny it.2. Starting the evidence and control process: The responsible user sends the detailed assessment

questionnaires for all of the engagement's open controls to recipients. Open controls are controls that have not been marked effective before for the supplier, whether because the supplier has not yet been assessed for them or because one or more of the control's assessments is expiring or expired, or that have not been assessed for this particular engagement. If there is no supplier selected for the engagement, all controls are open.If your site uses the simple workflow for sending assessments, the responsible user sends all of the engagement's assessments at one time. If your site uses the advanced workflow for sending assessments, the responsible user might send different assessments in different rounds over a period of time.

3. Collecting evidence: Assessment recipients are notified that they need to fill out their risk assessments. Depending on how the assessment questionnaires are set up, approvers might approve or deny individual questionnaires in this stage.

4. Reviewing risk control effectiveness: Control decision makers review the answers to submitted risk assessment questionnaires and mark associated controls as effective or ineffective.



5. Approving or denying the engagement: Approvers review the overall engagement risk assessment project, including the effectiveness of its controls, and approve or deny the engagement.

6. Post-project approval tasks: Task owners complete additional tasks, which may include completing supplemental engagement questionnaires, to track post-approval activity, monitor the engagement, or perform activities associated with the execution of the engagement. This phase is not required and is only included if your organization has added it to the engagement risk assessment workflow.

7. Archiving the engagement project: Users with the appropriate permissions archive the engagement project so that no further actions can be taken on it. Depending on how your site is set up, archiving can be a single action (simple workflow) or can involve a workflow with approvals (advanced workflow).

Depending on how your organization's engagement risk assessment process is set up, some of these stages may also include supplemental engagement questionnaires. These questionnaires are not the same as assessment questionnaires and are not sent at the same time. Instead, task owners fill them out either as part of the engagement risk assessment workflow or at any time before the engagement is completed, depending on how they are set up. Supplemental engagement questionnaires typically gather information that is not directly associated with control reviews. For example, they may track compliance, report on or monitor aspects of the engagement, or confirm that someone has performed a required task outside of the engagement risk assessment project.

At any time between when the request is submitted and the engagement is completed or canceled, the requester and governance experts can create issues to highlight potential problems or concerns with the engagement as a whole, and control decision makers can raise issues with specific controls. Various stakeholders then complete tasks and add comments to track and resolve those issues.

In solutions that include SAP Ariba Sourcing or SAP Ariba Contracts, a sourcing or contract project can be made a follow-on project from the engagement risk assessment, linking the projects together.

Your site's control-based risk assessment project template defines:

● The content in the engagement request business details and inherent risk screening questionnaires, including which inherent risk screening questions trigger specific controls and whether the inherent risk screening questionnaire generates an inherent risk rating.

● Who is responsible for sending control-based risk assessments.● Who is responsible for approving the engagement request and approving the overall engagement.● Whether or not there are other tasks in the workflow, such as To Do tasks related to business details or review

tasks, and who is responsible for completing them.● Whether or not the engagement includes supplemental questionnaires and whether or not those

questionnaires require approval.● The process for archiving engagement projects in sites that use the advanced archiving workflow.

Each engagement-level risk assessment questionnaire also has its own project template, which defines:

● Whether the questionnaire is internal or external and, for internal questionnaires, its recipients.● The content of the questionnaire.● Whether or not the questionnaire can expire and, if so, its expiration schedule.● Whether or not the questionnaire has its own approval flow and if so, who is responsible for approving it.● Whether or not updates to the questionnaire also require approvals.


Understanding the components of the control-based risk assessment process

Control-based risk assessment projects combine a project template that has some specialized functionality with other components such as site master data to create a workflow. To set up a control-based engagement risk assessment process, you must understand these components and their relationships to one another.

The overall control-based engagement risk assessment workflow is defined by the Supplier Risk Engagement Template. Control-based engagement risk assessment projects created from the Supplier Risk Engagement Template include the following components:

● The Supplier Risk Engagement Template, which defines the content of the engagement request, any supplemental engagement questionnaires, and the overall workflow and approval processes for the control-based engagement risk assessment process.

● CSV data files that define data for:○ Engagement attribute mappings between the engagement's commodities, regions, and departments and

the questions in the request inherent screening questionnaire that are designed to trigger specific risk controls.

○ Engagement control mappings between specific answers to those control trigger questions and the controls themselves.

○ Risk control definitions that specify the required assessment questionnaires, decision makers, and owners of each risk control.

○ Risk types that defines categories of risk for your organization.● Modular supplier management questionnaire project templates [page 139], which define the individual risk

assessment questionnaires used in the control-based risk assessment project. These assessments exists as separate projects, but control-based risk assessment projects created from the Supplier Risk Engagement Template link to them through the combination of engagement attribute mappings, engagement control mappings, and risk control definitions. Modular supplier management project templates also require a CSV file to define their questionnaire types.

● Buyer category assignments (the user matrix) [page 194], which you can use to dynamically add users to different project groups in both the Supplier Risk Engagement Template and individual modular supplier management project templates.Specialized, automatic tasks for evidence collection and control review, which have the task type External. You do not create evidence collection and control review tasks in the Supplier Risk Engagement Template. Control-based risk assessments generate them and assign them to users automatically.

For details on the CSV files used for these components, see Supplier risk data import.

These components interact in specific ways in each of the phases of the control-based risk assessment process:

● Request Approval [page 107] (required)● Trigger Evidence and Control Process [page 108] (required)● Evidence Collection [page 108] (required)● Risk Control Effectiveness Review [page 109] (required)● Project Approval [page 109] (required)● Post Project Approval [page 110] (optional)● Project Archiving [page 110] (required for the advanced archiving workflow)



Components of the engagement request (the Request Approval phase)

In this phase, a requester fills out and submits an engagement request, which creates a control-based engagement risk project with commodity, region, and department attributes defined by the commodity, region, and department answers in the business details questionnaire in the engagement request.

In this stage of the process, the Supplier Risk Engagement Template defines:

● The business details questionnaire, which must include mapped questions for commodity, region, and department. The answers to these questions set the commodity, region, and department attributes for the control-based risk assessment project. Buyer category assignments (the user matrix) use those project commodity, region, and department attributes to add users to control-based engagement risk assessment project teams. These answers also determine some of the content of the engagement request inherent screening questionnaire.

● The engagement request inherent screening questionnaire, which must include questions with defined IDs that trigger controls, and can optionally include scoring.

● The approval task for the request and any other tasks you want to include in the Request Approval phase.● Any project groups you want to use to construct the request approval flow, any review flows, and any To Do task

ownership in the Request Approval phase.● Any project-level conditions you want to use to construct the approval flow, create visibility conditions in the

inherent risk screening questionnaire, or perform other actions at this stage.● Any supplemental engagement questionnaires [page 134] included in the phase, their required To Do tasks,

and optional approval tasks.

Engagement attribute mapping master data maps between the commodities, regions, and departments specified in the business details questionnaire and inherent risk screening questions in the engagement request. The inherent risk screening questionnaire only shows an inherent risk question if it is mapped to the commodities, regions, and departments specified in the business details questionnaire; otherwise, it is hidden.

Engagement control mapping master data maps between the answers to inherent risk screening questions and risk controls. A risk control is required if an inherent risk screening questionnaire and its answer match the mapped control.

Risk control definition master data specifies fundamental and important characteristics for your risk controls, including control owners and decision makers, how frequently a control requires review if there is a supplier selected for the engagement risk assessment, and whether or not it is required by regulators. It also specifies the modular supplier management project templates that define the assessments for each control, and therefore the information that control decision makers use to review control effectiveness. Each risk control has a risk type defined by risk type master data.

The combination of engagement attribute mapping, engagement control mapping, and risk control definition data defines the controls that are applicable to the engagement and their associated assessment questionnaires. For details on this master data, see Supplier risk data import.

Buyer category assignment (user matrix) data [page 194] can populate the project groups in the request approval flow with users based on the commodities, regions, and departments specified in the business details questionnaire in the engagement request, and can populate To Do task owner groups for tasks in this phase as well.


Components of the Trigger Evidence and Control Process phase

In this phase, a user sends the engagement-level assessment questionnaires required by the engagement's controls to recipients.


● The To Do task for sending assessment questionnaires.● Any other tasks you want to include in the Trigger Evidence and Control Process.● Any project groups to which you want to use to assign ownership of the send assessments To Do task or any

other tasks in this phase.○ Any supplemental engagement questionnaires [page 134] included in the phase, their required To Do

tasks, and optional approval tasks.

Risk control definition master data defines the required assessment questionnaires for each of the engagement's controls. For details on risk control definition data, see Supplier risk data import.

If you assign ownership of the send assessments To Do task to a project group, Buyer category assignment (user matrix) data [page 194] can populate that group with users based on the engagement commodities, regions, and departments, as well as populating project groups used in other tasks in this phase.

Components of the Evidence Collection phase

In this phase, assessment recipients fill out or update and submit assessment questionnaires and, if applicable, approvers and other task owners complete tasks and approve those questionnaires.

The Supplier Risk Engagement Template defines the phase itself, but does not define any of its tasks. Instead, once the owner of the To Do task for sending assessments completes it and the previous phase has ended, the control-based risk assessment project automatically generates a task of the specialized type External in the Evidence Collection phase for each assessment questionnaire that was either sent by completing the To Do task in the previous phase or that is pending expiration or expired since then and requires an update. These tasks:

● Have automatically generated names that include the control name (the value in the ControlName field in your site's risk control definition master data) and the name of the modular supplier management project template that defines associated assessment questionnaire. For example, if you have a control named Critical Data Element and a modular supplier management questionnaire named Capacity Management Policy, the external task name for this sent assessment is Critical Data Element: Capacity Management Policy. These tasks only show in the advanced view of the project. They do not show on the engagement page.

● Automatically specify the owner of the send assessments To Do task as their owners as well.● Are never completed manually by users. Instead, a questionnaire task completes automatically when its

associated modular supplier management questionnaire is submitted and approved.

Modular supplier management questionnaire project templates [page 139] define individual assessment questionnaires. Based on its template configuration, each external assessment can have separate approval and To Do tasks for both new questionnaires and questionnaire updates. Internal assessments can have approval tasks only for new questionnaires and cannot be updated. Task owners and approvers complete these tasks outside of the control-based engagement risk assessment project.



Components of the Risk Control Effectiveness Review phase

In this phase, control owners review associated assessment questionnaires and mark the control effective or ineffective. Note that while evidence collection precedes control effectiveness review in workflow order, the Evidence Collection and Risk Control Effectiveness Review phases start at the same time.

The Supplier Risk Engagement Template defines the phase itself, but does not define any of its tasks. Instead, once the owner of the To Do task for sending assessments completed it and the Trigger Evidence and Control Process phase ended, the control-based risk assessment project also automatically generates a task of the specialized type External in the Risk Control Effectiveness Review phase for each open control. These tasks:

● Have automatically generated names that include the control name (the value in the ControlName field in your site's risk control definition master data) and the words Control Review. For example, if you have a control named Critical Data Element, the external task name for its effectiveness review is Critical Data Element Control Review. These tasks only show as tasks in the advanced view of the project.

● Show as control reviews in the Risk Controls area of the engagement page.● Automatically specify the control decision maker defined in the DecisionMaker field in your site's risk control

definition master data as the task owner.● Become active when all of the questionnaire tasks associated with the control are complete. This means that::

○ If the control includes an external questionnaire that the supplier has not filled out before or a previously approved questionnaire that is expiring or expired, the new questionnaire or questionnaire update must be approved before the control review task becomes active.

○ If the control includes approved external questionnaires from the supplier but requires a new review for the current engagement, the control review task becomes active immediately after the Trigger Evidence and Control Process ends. This scenario included cases where current project includes a service-level control that was reviewed for a previous project, but where the current project includes at least one service for that control that was not reviewed previously.

○ If the control includes an internal questionnaire, it must be approved before the control review task becomes active.

If the control decision maker is a project group, Buyer category assignment (user matrix) data [page 194] can populate that group with users based on the engagement commodities, regions, and departments..

Components of the Project Approval phase

In this phase, approvers review the effectiveness of the risk controls for the engagement and finally approve or deny it.


● The approval task for the overall control-based engagement risk assessment project and any other tasks you want to include in the Project Approval phase.

● Any project groups you want to use to construct the project approval flow, any review flows, and any To Do task ownership in the Project Approval phase.

● Any project-level conditions you want to use to construct the approval flow or perform other actions at this stage.

● Any supplemental engagement questionnaires [page 134] included in the phase, their required To Do tasks, and optional approval tasks.


Buyer category assignment (user matrix) data [page 194] can populate the project groups in the project approval flow with users based on the commodities, regions, and departments specified in the business details questionnaire in the engagement request, and can populate To Do task owner groups for tasks in this phase as well.

Components of the Post Project Approval phase

In this phase, To Do task owners and approvers complete any tasks that are required after the project has been approved. This phase is optional.


● Any supplemental engagement questionnaires [page 134] included in the phase, their required To Do tasks, and optional approval tasks.

● Any other tasks you want to include in this phase.● Any project groups you want to use to construct approval flows and any To Do task ownership in the Post

Project Approval phase.● Any project-level conditions you want to use to construct the approval flow or perform other actions at this

stage.

Buyer category assignment (user matrix) data [page 194] can populate the project groups in any approval flows in this phase with users based on the commodities, regions, and departments specified in the business details questionnaire in the engagement request, and can populate To Do task owner groups for tasks in this phase as well.

Components of the Project Archiving phase

In this phase, To Do task owners and approvers complete tasks related to requests to archive the project. This phase is only required in sites that use the advanced archiving workflow.


● The archiving request and any associated To Do and approval tasks.Any project groups you want to use to construct approval flows and any To Do task ownership in the Project Archiving phase.

● Any project-level conditions you want to use to construct the approval flow or perform other actions at this stage.

Buyer category assignment (user matrix) data [page 194] can populate the project groups in the project archiving approval flow with users based on the commodities, regions, and departments specified in the business details questionnaire in the engagement request, and can populate To Do task owner groups for tasks in this phase as well.

Related Information

The control-based engagement risk assessment process [page 103]About the supplier risk engagement project template for control-based engagement risk assessment projects [page 111]



Restrictions, requirements, and helpful hints for setting up the supplier risk engagement project template for control-based engagement risk assessments [page 112]

About the supplier risk engagement project template for control-based engagement risk assessment projects

The Supplier Risk Engagement Template project template defines significant parts of your organization's workflow for using risk control-based assessments to quantify the risk of engaging with a supplier or third-party.

There is only one template for control-based engagement risk assessment projects in a site, the Supplier Risk Engagement Template. This template defines all control-based risk assessment projects in the site. Template upgrade for these projects is not supported, so when you edit a template, only projects created after that new template version is published reflect those changes. It is important to define your entire control-based risk assessment process carefully during the initial template implementation so that you only need to make minor adjustments after users in your site start creating projects from it.

NoteInitial release guide information for control-based engagement risk assessment projects referred to the template name as the Engagement Request Container Project Template. The template name has been changed to Supplier Risk Engagement Template.

Unlike other supplier management projects, the Supplier Risk Engagement Template does not define all the content of the control-based engagement risk assessment projects created from it, although it does define important pieces. A combination of the template, site master data, and some automatic tasks combine to create the overall workflow in each task. For a high-level description of the overall control-based risk assessment process, see The control-based engagement risk assessment process [page 103]. For a detailed list of these components and how they are used in each phase of this process, see Understanding the components of the control-based risk assessment process [page 106]. Before you set up the Supplier Risk Engagement Template, it is important to understand the general process and how these components interact to create it.

The project template must always include two survey documents for the engagement request (one for the business details questionnaire [page 111] and one for the inherent risk screening questionnaire [page 116]) and a specific configuration of tasks and phases [page 130]. It can include additional survey documents for supplemental engagement questionnaires [page 134].

Internal users in the Supplier Risk Engagement Requestor group create control-based engagement risk assessment projects by choosing Create Engagement Request on the dashboard and completing and submitting the engagement request, which includes the business details and inherent risk screening questionnaires defined in the Supplier Risk Engagement Template. The user who creates the request is initially the explicit project owner of the control-based engagement request project as well as a member of its Project Owner group. You can allow changes to the explicit project owner using either of the following optional mechanisms::

● A question with the appropriate configuration in the engagement request business details questionnaire.● A Change owner menu item on the Action menu on the engagement page, which is not enabled by default.

If you were previously using legacy engagement risk assessment projects, when SAP Ariba Customer Support enables the control-based engagement risk assessment project feature in your site, legacy project creation is automatically disabled and the Create Engagement Request menu action points to the engagement


request questionnaires defined in the Supplier Risk Engagement Template instead. Data on existing legacy engagement risk assessment projects continues to be available in your site for reference.

NoteWhile SAP Ariba Supplier Risk will continue to support legacy engagement risk assessment projects using the Engagement Risk Assessment Project Template until further notice, customers with subscriptions with order forms dated after the SAP Ariba September 2018 release who want to implement supplier engagement risk assessments must use the new Supplier Risk Engagement Template to implement control-based engagement risk assessments. SAP Ariba strongly recommends that customers currently in the deployment phase also adopt control-based risk assessments. No further innovations are planned for legacy engagement risk assessment projects.

Related Information

Workflow for setting up control-based engagement risk assessment projects [page 82]Understanding the components of the control-based risk assessment process [page 106]Setting up phases and tasks for control-based engagement risk assessment projects [page 130]Restrictions, requirements, and helpful hints for setting up the supplier risk engagement project template for control-based engagement risk assessments [page 112]Setting up the business details questionnaire in the engagement request [page 114]Setting up the inherent risk screening questionnaire in the engagement request [page 116]

Restrictions, requirements, and helpful hints for setting up the supplier risk engagement project template for control-based engagement risk assessmentsControl-based engagement risk assessment projects defined by the Supplier Risk Engagement Template use a specific workflow, and need some specific configurations to ensure that they fit successfully in that workflow.

Restrictions

● The Supplier Risk Engagement Template project template includes two default survey documents: one for the business details questionnaire [page 111] and one for the inherent risk screening questionnaire [page 116]. Both questionnaires are part of the engagement request workflow. You can add survey documents to the template to create supplemental engagement questionnaires, but do not add any other type of document to it. You can edit these default survey documents to change their titles and add or edit content, but always use them for their intended purpose and do not delete them. The default business details survey document always shows in the first step of the engagement request, and the default inherent risk screening survey document always shows in the second step.

● The Supplier Risk Engagement Template only supports To Do and approval tasks. Do not add any other type of task to it.



Requirements

● The template's default business details questionnaire for the engagement request includes a set of default questions with field mappings that are essential to the control-based risk assessment project. See Setting up the business details questionnaire in the engagement request [page 114] for details.

● The inherent risk screening questionnaire for the engagement request must include questions that trigger risk control requirements for the engagement, and those questions must include specific configuration settings. See Setting up the inherent risk screening questionnaire in the engagement request [page 116] for details.

● The default Supplier Risk Engagement Template does not include any default tasks or phases. You must set them up separately [page 130].

● Chain together all of the in the Supplier Risk Engagement Template that define the engagement risk assessment workflow predecessors in the order in which you want to use them in that workflow. Doing so ensures the correct display of the process flow graph on the engagement page and the timely activation of each task when its predecessor is completed. There are some additional configuration requirements for some tasks in some phases. See Setting up phases and tasks for control-based engagement risk assessment projects [page 130] for details.

● The owner of the To Do task for sending assessments in the Risk Control Effectiveness Review phase must be a member of the Supplier Risk Engagement Governance Analyst or Supplier Risk Engagement Expert group to complete the task. A user who is not a member of one of those two groups cannot successfully complete the task even if they are the task owner. Keep this requirement in mind when configuring the ownership of the To Do task for sending assessments.

● If you add survey documents for supplemental engagement questionnaires, you must add a To Do task on each questionnaire survey document to enable its editing. You can only add these To Do tasks, and optional approval tasks, in specific phases. See Setting up supplemental engagement questionnaires [page 134] for details.

Helpful hints

● You can add questions to the business details questionnaire in the engagement request to:○ Flag an engagement for materiality, criticality, or outsourcing requirements and use those questions to

drive control requirements, conditional project content, and approvals.○ Allow the requester or a user who has permission to edit the request to change the explicit owner of the

project.See Setting up the business details questionnaire in the engagement request [page 114] for details.

● You can add supplemental questionnaires [page 134] to the template. These supplemental questionnaires are always internal and can be related to compliance, reporting, confirmations that users have performed tasks outside the project, or other purposes. You can also apply project-level conditions to these questionnaires and their associated tasks so that they are only added to projects that meet those conditions.

● Configuration options for the tasks in the Supplier Risk Engagement Template vary widely depending on the phase to which they belong. See Setting up phases and tasks for control-based engagement risk assessment projects [page 130] for details on tasks in specific phases.

● On the engagement page, the names of the tasks in the current workflow show as labels for the nodes on the status flow graph for the project. It's a good idea to use task names that clearly but briefly identify each task's role in the workflow.

● On the Engagement Requests tile of the Supplier Risk dashboard and on the engagement page, the project display status includes the name of the current phase. If you edit the names of the default phases in the Supplier Risk Engagement Template, make sure that the names you specify make sense in this context.


● If you specify a global user group as the owner of a task, and the engagement requester belongs to that group, the project owner automatically becomes the task owner. This behavior is standard behavior for SAP Ariba projects. Keep this behavior in mind when setting task owners.

● The risk control definition master data in your site can specify individual users, global user groups, or project groups as decision makers for controls. If it specifies a project group for a control, that project group must exist in the Supplier Risk Engagement Template template. It is not created automatically by the control definition. Control definitions first look for global user groups with matching unique names, and only look for project groups if there is no global user group with a matching name. Therefore, if you plan to assign control decision making to project groups, make sure that the names you give those project groups are not identical to any global user group unique name in your site.

● You can set up inherent risk ratings for engagement risk assessment projects [page 117] so that the inherent risk assessment questionnaire generates both a numerical score and an inherent risk rating. The Inherent Risk Score project field stores the numerical score, while the Inherent Risk Rating field stores the corresponding rating. You can use either one of these fields to create project-level conditions for conditional approval flows based on the inherent risk score or rating of the engagement.

● SAP Ariba recommends that you add no more than 500 pieces of content to an individual questionnaire. Adding more than 500 pieces of content might cause performance to degrade progressively as you add more content.

● Approvers and members of the Supplier Risk Engagement Governance Analyst group can resubmit a denied approval on the engagement risk assessment project as long as the approval task is not the final task in the project approval phase. If it is the final task in the project approval phase, the phase closes and the approval can no longer be submitted.

Related Information

About the supplier risk engagement project template for control-based engagement risk assessment projects [page 111]Understanding the components of the control-based risk assessment process [page 106]Setting up the business details questionnaire in the engagement request [page 114]Setting up the inherent risk screening questionnaire in the engagement request [page 116]Setting up phases and tasks for control-based engagement risk assessment projects [page 130]About risk controls in SAP Ariba Supplier Risk [page 102]

Setting up the business details questionnaire in the engagement request

The business details questionnaire is the first step of creating an engagement request and defines the commodity, region, and department of the engagement, which in turn determine its required controls. You set it up in the Supplier Risk Engagement Template.

The Supplier Risk Engagement Template includes a default survey document for the business details questionnaire. It includes the following default content and field mappings [page 136]:

● A question about the engagement title, mapped to project.Title.



● A question of type Commodity, mapped to matrix.Categories.● A question of type Region, mapped to matrix.Regions.● A question of type Department, mapped to matrix.Departments.

The commodity, region, and department questions and field mappings are required for the correct functioning of the control-based risk assessment project. The answers a requester provides for those questions set the commodity, region, and department attributes for the project, and those attributes determine:

● Which questions that trigger risk controls show in the next step of the engagement request, the inherent risk screening questionnaire [page 116]. The mapping between project attributes and control trigger questions is defined in your site's engagement attribute mappings..

● The membership of project groups on the project team, if you are using buyer category assignments [page 193] (the user matrix).

The title question is recommended because its answer automatically becomes the name of the control-based engagement risk assessment project created from the engagement request. If you do not include a title question mapped to project.Title in the engagement request filters questionnaire, all projects created from the Supplier Risk Engagement Template are automatically named "<name of engagement request filters questionnaire survey document> by <name of requester>."

You can edit the names of these questions, but do not edit their answer types or field mappings.

By default, the requester is the explicit project owner of the engagement risk assessment project created from the request. You can allow the requester or other users who have permission to edit the request to set a different explicit project owner by adding a question about who should be the project owner, of type User, mapped to project.Owner. Do not allow multiple answers for this question.

You can also optionally add any or all of the following questions to the business details questionnaire:

● A question about the engagement's materiality, with answer type Yes/No, mapped to project.materiality. A yes answer to this question adds a TRUE flag to the project Materiality field.

● A question about the engagement's criticality, with answer type Yes/No, mapped to project.criticality. A yes answer to this question adds a TRUE flag to the project Criticality field.

● A question about whether or not the engagement requires outsourcing, with answer type Yes/No, mapped to project.outsouring. A yes answer to this question adds a TRUE flag to the project Outsourcing field.

You can use these project fields to show or hide questions to the inherent risk screening questionnaire in addition to those added by the commodity, region, and department, and those conditional questions can also trigger risk controls. You can also use them to create conditional approval and review flows for the request and the overall project.

You can optionally add any other questions to the business details questionnaire as well for informational purposes. All of the questions and answers in this questionnaire show on the engagement page after the requester has submitted the request. However, only the mapped questions described in this topic affect the overall behavior and workflow of the associated project.

Related Information

Understanding the components of the control-based risk assessment process [page 106]About the supplier risk engagement project template for control-based engagement risk assessment projects [page 111]


Restrictions, requirements, and helpful hints for setting up the supplier risk engagement project template for control-based engagement risk assessments [page 112]Setting up the inherent risk screening questionnaire in the engagement request [page 116]Setting up phases and tasks for control-based engagement risk assessment projects [page 130]Supplier field mappings for control-based supplier engagement risk assessment projects [page 136]The control-based engagement risk assessment process [page 103]

Setting up the inherent risk screening questionnaire in the engagement request

The inherent risk screening questionnaire is the second step of creating an engagement request and determines the risk controls that are required for the engagement. You set it up in the Supplier Risk Engagement Template.

The Supplier Risk Engagement Template includes an empty default survey document for the inherent screening questionnaire. To set up the inherent risk screening, add questions designed to determine whether specific risk controls should be required. Each screening question must specify a unique identifier in the Supplier field mapping field using the format question.<question ID>.

You can add screening questions to the inherent risk screening questionnaire survey document in two different ways:

● Commodity, region, and department screening questions: For screening questions designed to trigger controls based on the engagement commodities, regions, and departments, you add all possible related questions to the survey document without applying any visibility conditions. Engagement attribute mapping data in your site maps between specific commodities, regions, and departments and the IDs for these questions that you specify in the Supplier field mapping field. There is no need to apply visibility conditions to them. The inherent risk screening questionnaire automatically shows or hides them depending on whether or not a requester selects mapped commodities, regions, and departments in the business details questionnaire. When a requester chooses one or more commodities, regions, and departments in the first step of the engagement request, the business details questionnaire [page 114], the inherent risk screening questionnaire automatically shows the screening questions from the template survey document that have IDs mapped to those commodities, regions, and departments in the engagement attribute mappings. Questions with IDs that are mapped but that do not match the commodities, regions, and departments of the current engagement request are always hidden. For details on engagement attribute mappings, see Supplier risk data import/

● Criticality, materiality, and outsourcing screening questions: For screening questions designed to trigger controls based on the engagement's criticality, materiality, or potential for outsourcing, you create project conditions with a field match to project Criticality, Materiality, and Outsourcing fields. You then add all possible related questions to the survey document and apply those conditions as visibility conditions.

The engagement control mapping master data in your site maps between the answers to these questions and different risk controls. Risk control definitions specify the assessment questionnaires for each control as well as the control decision maker. The questions you add to the inherent risk screening questionnaire therefore determine the controls required for the engagement, and the controls determine which assessment questionnaires are included and who reviews the controls for effectiveness in a later part of the process.

You can optionally add any other questions to the engagement request inherent risk questionnaire as well for informational purposes. All of the questions and answers in this questionnaire show on the engagement page after the requester has submitted the request.



You can also pre-grade the inherent risk screening questionnaire to generate an inherent risk score for the engagement [page 117].

Related Information

Understanding the components of the control-based risk assessment process [page 106]About the supplier risk engagement project template for control-based engagement risk assessment projects [page 111]Restrictions, requirements, and helpful hints for setting up the supplier risk engagement project template for control-based engagement risk assessments [page 112]Setting up the business details questionnaire in the engagement request [page 114]Setting up phases and tasks for control-based engagement risk assessment projects [page 130]Supplier field mappings for control-based supplier engagement risk assessment projects [page 136]About risk controls in SAP Ariba Supplier Risk [page 102]

Topics about setting up inherent risk ratings for control-based engagement risk assessment projects

Setting up inherent risk ratings for control-based engagement risk assessment projects [page 117]

Point-based scoring versus percentage-based scoring [page 119]

About scoring points [page 120]

About pre-grading supplier questionnaires [page 123]

Structural considerations for scoring supplier questionnaire content [page 126]

How to add scoring to the engagement request inherent risk screening questionnaire [page 128]

Setting up inherent risk ratings for control-based engagement risk assessment projects

Answers to the inherent risk screening questionnaire in the engagement request can generate a numerical inherent risk score, which you can show as a rating on the engagement page and use to create project-level conditions for conditional approval flows and other conditional content.

Inherent risk ratings based on the score of the engagement request inherent risk screening questionnaire involves the following components:

● Scoring the inherent risk screening questionnaire: you choose either percentage-based or point-based scoring [page 119] and add scoring to the inherent risk screening questionnaire survey document [page 128] in the control-based engagement risk assessment project template. Set up the scoring so that riskier answers result in a higher score and less risky answers result in a lower score.


● Defining risk ratings: a site configuration parameter defines the risk ratings (such as "High" and "Low" and the ranges of numerical scores for each rating in your site. If you use point-based scoring, the parameter is Application.SR.Engagement.RiskPointBasedScoreRanges. If you use percentage-based scoring, the parameter is Application.SR.Engagement.RiskScoreRanges. They define ranges of from 0 through 100 (for percentage-based scoring) or 0 or greater up to a maximum of 1000 (for point-based scoring) with no gaps in between ranges, in the format Rating name:low value:high value. For example, High:75:100 means that scores of 75% to 100% (in percentage-based scoring) or 75-100 points (in point-based scoring) have a risk rating of High. If there is any overlap between two ratings, the rating with the higher range is used; for example, if you define High:75:100 and Medium:50:75, a score of 75% or 75 points has a risk rating of High. The default value for percentage-based scoring is Low:0:50, Medium:50:75, High:75:100 and the default value for point-based scoring is Low:0:60 Medium:60:90 High:90:1000. If you want to define custom ranges, have your Designated Support Contact log a service request. An SAP Ariba Customer Support representative will follow up to complete the request.

Once you have set up questionnaire scoring and scoring ranges and published the control-based engagement risk assessment project template, when a requester fills out the inherent risk screening questionnaire in the engagement request, the questionnaire calculates a numerical score based on the submitted answers. Your risk ratings definitions translate that score into a rating, and the rating shows in the Inherent Risk field in the Engagement Summary area of the engagement page. The project stores the numerical score in the Inherent Risk Score project field and the rating in the Inherent Risk Rating project field. You can use either of these fields to create project-level conditions. You can then use those project-level conditions to create conditional approval flows; for example, you can create more stringent approval flows for engagements with more inherent risk. You can also create conditional content in the project, such as a To Do or review task prompting relevant stakeholders to perform a special evaluation of an engagement with more inherent risk.

TipControl-based engagement risk assessment projects can also have an inherent risk rating based on the commodities the requester selects in the first step of the engagement request, the business details questionnaire. If you have in your site, the commodity-based rating shows in the Inherent Risk (Commodity) field in the Engagement Summary, and its corresponding numerical value is stored in the Inherent Risk Score (Commodity) project field. Although you can set up both types of inherent risk ratings for your control-based engagement risk assessment projects, it is possible for the same project to show different and even conflicting ratings in the Inherent Risk and Inherent Risk (Commodity) fields. Choosing only one method of rating the inherent risk for an engagement provides clearer guidance to engagement approvers and other stakeholders.

Related Information

Setting up the inherent risk screening questionnaire in the engagement request [page 116]Point-based scoring versus percentage-based scoring [page 119]About scoring points [page 120]About pre-grading supplier questionnaires [page 123]Structural considerations for scoring supplier questionnaire content [page 126]How to add scoring to the engagement request inherent risk screening questionnaire [page 128]



Point-based scoring versus percentage-based scoring

You can use either point-based scoring or percentage-based scoring to calculate request and assessment questionnaire scores in engagement risk assessment projects.

NotePercentage-based scoring is the default system, and is the only system available for most SAP Ariba surveys, supplier management questionnaires, and events. Point-based scoring is only available in template survey documents in control-based and legacy engagement risk assessment projects in.SAP Ariba Supplier Risk In control-based engagement risk assessment projects, point-based scoring is enabled by default. In legacy engagement risk assessment projects, the point-based scoring feature must be enabled in your site.

Point-based score calculation is a more straightforward and easy-to-configure method, awarding each answer a number of points and adding all awarded points together to calculate the total score; however, approvers and other stakeholders must know how a given point total translates into risk levels. Percentage-based scoring is more complicated to configure because it awards each answer a number of points, then uses the question's importance and its section's weight to calculate the total score; however, it is easier for approvers and other stakeholders to interpret percentage scores intuitively.

You can choose a scoring method for each individual survey document in the supplier engagement risk assessment project template, allowing you to select the method that best meets the requirements for individual questionnaires.

Point-based scoring

Point-based scoring is less complicated to configure because there is a direct relationship between the pre-grade values you specify for each answer and the questionnaire's score. You simply specify point values as pre-grades, and the sum of the highest pre-grade for each question is the maximum score for the questionnaire. You do not need to specify importance for questions or weight for sections, or spend time figuring out how weight and importance interact in score calculations to achieve the results you want.

Be aware of how conditional questions can contribute to different scores for the same questionnaire in different engagement risk assessment projects, and make sure that the way you pre-grade conditional questions translates into the risk score you want. If a question shows in one project, its pre-grade value contributes to the questionnaire's total point score; if a question does not show in another project, its pre-grade does not, and the higher number of points in the first project indicates higher risk.

The Application.SR.Engagement.RiskPointBasedScoreRanges site configuration parameter defines the ranges of point-based scores that correspond to low, medium, or high risk ratings. These ratings are used in the following ways:

● In control-based engagement risk assessment projects, the rating that corresponds to the numerical score of the inherent risk questionnaire in the engagement request shows in the Inherent Risk field on the engagement page. This field only shows the parameter-defined ratings; it does not show the numerical score.

● In legacy engagement risk assessment projects, you can use the rating that corresponds to the numerical score of the engagement request can trigger recommendations of specific engagement-level risk assessments.

In legacy engagement risk assessment projects, you can score the engagement-level risk assessment questionnaires. Since total scores are just a sum of the points awarded to each answer, it is possible for different questionnaires to have wildly different maximum scores, which might lead to confusion if users in your site don't


know how to interpret the risk level of a given score. To avoid this problem, you can develop a standard system across questionnaires so that the same number of points translate into high, medium, and low risk for all questionnaires, and pre-grade individual questions based on that system. If you want scores to trigger conditional approval flows or perform other functions in the engagement risk assessment project, it is also important to apply a standard scoring system across questionnaires.

You cannot specify a target score with point-based scoring, and therefore engagement-level risk assessments in legacy engagement risk assessment projects never show as high risk on the engagement page.

Percentage-based scoring

Percentage-based scoring is more complicated to configure because the relationship between the pre-grade values you specify for each answer and the questionnaire's score is indirect. You specify percentage values and pre-grades, and those percentages determine how many of the question's possible points to award each answer. The question's possible points are calculated based on the question's importance and the weight of its section. Setting up percentage-based scoring in a questionnaire requires careful planning.

However, percentage-based scoring enables you to define how much you want each individual question to contribute to the overall score in a more flexible way. Moreover, since percentage scores are always relative to the overall percentage instead of being a direct sum, the presence or absence of conditional questions in individual questionnaires can have a less direct effect on their scores.

You can specify a target percentage with percentage-based scoring, and engagement-level risk assessments that don't meet that target show as high risk in the user interface.

The Application.SR.Engagement.RiskScoreRanges site configuration parameter defines the ranges of percentage-based scores that correspond to low, medium, or high risk ratings. These ratings are used in the following ways:

● In control-based engagement risk assessment projects, the rating that corresponds to the numerical score of the inherent risk questionnaire in the engagement request shows in the Inherent Risk field on the engagement page. This field only shows the parameter-defined ratings; it does not show the numerical score.

● In legacy engagement risk assessment projects, you can use the rating that corresponds to the numerical score of the engagement request can trigger recommendations of specific engagement-level risk assessments.

About scoring points

The more scoring points you assign each piece of event or questionnaire content, the more that content contributes toward the final score. There are two different types of scoring points, Weight and Importance, that work together in score calculations for hierarchical content.

About weight

Weight is the relative level of importance of a section of content. It is used with the score you assign each response and contributes to the overall score for each respondent.



Assign Weight points to “container” content types such as sections and event line items (for scoring purposes, a line item “contains” its terms). Altering a section or lot’s Weight allows you to alter the Overall % for all the section content.

For example, suppose there are 30 scoring points assigned to a Car Performance section, and 70 to a Car Financing section. (Assign a total of 100 scoring points to cause the Overall % to be equal to the number of assigned scoring points).

For sections, the Overall % column shows how the section contributes to the overall score based in the following formula:

● section weight / total number of weight points = overall % of section

Using the previous example to verify the Overall % of the Car Financing section, the numbers would look like this:

● 70 / 100 = 70%

If you do not assign exactly 100 weight scoring points, it complicates the math. For example, if you assign 27 points to the Car Performance section, and 88 points to the Car Financing section, the total of the weight scoring points is 115. In this case, the Overall % of the Car Financing section is:

● 88/115 = 76.52%

The following table demonstrates the breakdown of scoring calculations based on the preceding example:

Number Name Weight (base level) Overall %

1 Section 1 – Car Performance 27 27 / 115 = 23.48%

2 Section 2 – Car Financing 88 88 / 115 = 76.52%

Maximum points for content 115

About importance

Importance is the relative level of importance for individual pieces of content that require answers from suppliers or other respondents, such as questions and event line item terms.

Assign each question or other piece of individual content between 0–10 Importance scoring points, with 10 being the most important. Content to which you assign 0 scoring points does not count towards the score.

In the following graphic, question 1.2 has the highest importance with 10 Importance points, and question 1.1 is half as important as question 1.2 with 5 Importance points.


>The Overall % of questions changes depending on how you weight the section they are located in. To calculate the Overall % of the questions in the Car Performance section, first calculate their percentage within the Car Performance section, and then multiply that by the Overall % of the Car Performance section. The formula for the numbers in the example would be:

● (importance of question 1.1 (5) / total number of importance points in the Car Performance section (15)) * overall % of Car Performance section (30) = overall % of question 1.1 (10%)

Written numerically:

(5/15) * 0.3 = 0.1

The following table combines section Weight and question Importance to calculate the overall % of the questions within section 1:

Number Name Weight Importance Overall %

1 Section 1 – Car Performance 30 30 / 100 = 30%

1.1 Question 1.1 5 10% = 30%*5/15

1.2 Question 1.2 10 20% = 30%*10/15

Maximum points for content in Section 1

15

2 Section 2 – Car Financing 70 70 / 100 = 70%




About how weight and importance are used together

A question’s Importance and its container section’s Weight work together to determine the Overall % of questions within a section: For example:

Number Name Weight Importance Overall %

1 Section 1 – Car Performance 30 30% = 30 / 100

1.1 Question 1.1 5 10% = 30%*5/15

1.2 Question 1.2 10 20% = 30%*10/15

Maximum points for content in Section 1 15

2 Section 2 – Car Financing 70 70% = 70 / 100

2.1 Question 2.1 5 23.3% = 70%*5/15

2.2 Question 2.2 10 46.7% = 70%*10/15

Maximum points for content in Section 2 15


Although questions 1.1 and 2.2 both have 10 Importance scoring points, they do not have the same Overall % because the two questions are in different sections, and section 1 has fewer weight scoring points. This causes the questions inside section 1 to be relatively less important than the questions in section 2.

About pre-grading supplier questionnaires

The pre-grade you assign to a specific answer to a question determines the amount that the answer contributes to the total score of the questionnaire relative to other answers to the same question.

When you pre-grade a question, you assign a grade to each possible answer to the question. You can only pre-grade questions that have defined or quantifiable answers.

In percentage-based scoring, pre-grades are always percentage values between 0 and 100, with 0 being the lowest and 100 being the highest grade. They specify the percentage of the question's available scoring points each answer earns, and that question-level scoring point calculation rolls up into the calculation of both section-level and overall questionnaire scores based on the question's importance and its section's weight.

In point-based scoring, pre-grades are always point values, which add up to section-level and overall questionnaire scores. Point-based scoring is available in the engagement request and assessment questionnaires in legacy engagement risk assessment projects and the engagement request inherent risk screening questionnaire in control-bases engagement risk assessment projects in sites that include SAP Ariba Supplier Risk. It is not available in sourcing events or modular supplier management questionnaires.

You can only pre-grade questions that have defined or quantifiable answers.

Questions with defined answers include multiple choice and Yes/No questions. For example, you cannot pre-grade a question of type Text (single line limited) with no defined acceptable answers because a respondent can answer with any possible text, and there is no way to quantify and grade such an answer. However, if you set the Acceptable Values option to List of Choices for the question, so that the respondent must choose from a set of predefined answers, you can pre-grade each answer. Yes/No questions automatically include two defined answers: yes and no.


Questions with quantifiable answers include Whole Number, Money, and Date. Answers to these questions are numerical quantities that can be calculated or, in the case of dates, counted.

Related Information

About scoring points [page 120]

Assigning From, To, and Ideal values

Assign From, To, and Ideal values to favor answers that are neither too great nor too small.

Assigned grades start at 0% for the From value, climb to 100% for the Ideal value, and descend again to 0% for the To value.

For example, you might be selecting a model of car to add you your company’s fleet. You do not want a car that is too slow at top speed, but also one that has too much horsepower. In this case you might assign the slowest acceptable top speed in the From value to 100 MPH, the fastest acceptable top speed in the To value to 160 MPH, and the ideal top speed in the Ideal value to 120 MPH.

In this example, assigned grades start at 0% for 100 MPH, climb to 100% for 120 MPH, and descend again to 0% for 160 MPH.

Assigning From and Ideal values, but no To value

Assign From and Ideal values without specifying a To value when you do not want to place a restriction on the maximum value a respondent can provide for a question.

The assigned grade is 0% for answers less than or equal to the From value, rising to 100% for answers equal to or greater than the Ideal value.

For example, you might be selecting a model of car to add to your company’s fleet. You want the car to hold at least three passengers, ideally five passengers, with no upper limit. In this case you assign a value of 3 to the From value, a value of 5 to the Ideal value, and assign no value to To.

In this example, the assigned grade is 0% for answers of 3 or fewer, and 100% for answers of 5 or greater.

Assigning Ideal and To values, but no From value

Assign Ideal and To values without specifying a From value when you do not want to place a restriction on the minimum value a respondent can provide to a question.

The assigned grade is 0% for answers equal to or greater than the To value and rises to 100% for answers less than or equal to the Ideal value.



For example, you might be selecting a model of car to add to your company’s fleet. You want the car to cost no more than $30,000 USD, ideally $22,000 USD, but without setting a lower limit. In this case you assign a value of 30000 to the To value, a value of 22000 to the Ideal value, and assign no value to From.

In this example, the assigned grade is 0% for answers of 30000 or greater and 100% for answers of 22000 and less.

Assigning only an Ideal value

Assign an Ideal value but no From or To values when you want to solicit a single, specific answer.

The assigned grade is 100% for answers of the Ideal value and 0% for all other answers.

For example, you might be selecting which model of car to purchase for your company’s fleet. You want it to have a four-cylinder engine, no more, no less. In this case you specify an Ideal value of 4, and leave the From and To values empty.

In this example, the assigned grade is 100% for answers of 4 and 0% for all other answers.

Assigning only a From value

Assign a From value but no To or Ideal values when you have a specific maximum threshold value that you require, after which a greater answer does not add value for you.

The assigned grade is 0% for answers less than the From value and 100% for all answers equal to or greater than the From value.

For example, you might be selecting which model of car to purchase for your company’s fleet. Your company has a policy of only purchasing cars that have been in production for at least ten years. Set the From value to 10, and leave the To and Ideal values empty.

In this example, the assigned grade is 0% for answers less 10 and 100% for all answers equal to or greater than 10.

Assigning only a To value

Assign a To value but no From or Ideal values when you have a specific minimum threshold value that you require, after which a lesser answer does not add value for you.

The assigned grade is 0% for answers greater than the To value and 100% for answers equal to or less than the To value.

For example, you might be selecting which model of car to purchase for your company’s fleet. In order to purchase a car, your company requires it to be financed with a loan of 4% APR. or lower. Set the To value to 4, and leave the From and Ideal values empty.

In this example, the assigned grade is 0% for answers greater than 4%, and 100% for answers equal to or less than 4%.


Structural considerations for scoring supplier questionnaire content

The hierarchical structure of the content in a supplier questionnaire affects its scoring. Combining questions outside of sections with questions in sections, or nesting sections within sections, produces specific scoring behavior.

In supplier questionnaires, the base level is the root or beginning of the hierarchical scoring structure. Content in the base level has a number with no decimal points such as 1 or 2.

Supplier questionnaire scoring is simplest when:

● Either the questionnaire does not use sections at all and every question is at the base level, or the questionnaire does use sections and every question is in a section. Note that if the questionnaire does not use sections, you cannot use weight points in scoring. If the questionnaire includes both questions and sections at the base level, both contribute equally to the maxinum number of scoring points for the questionnaire [page 126], which can produce unexpected results.

● In questionnaires with sections, all sections are at the base level rather than nested. Only sections at the base level contribute to the questionnaire's maximum number of scoring points, and the weights of nested sections only apply to scoring within the section [page 128].

You can score questionnaires with more complicated structures, but keep these behaviors in mind if you do so.

NoteCurrently, scoring is only supported for static sections. It is not supported for repeatable sections.

About scoring for questions in the base level

Scoring is simplest when you place questions and event line items inside sections. Structuring content differently (for example, placing a question outside of a section) can cause confusion about the resulting scores.

The base level is the root or beginning of the hierarchical scoring structure. Content in the base level has a number with no decimal points, for example, notice 1 Section 1, or 3 A question created outside of a section in the following graphic. Content numbering with a decimal point (for example 1.2) indicates that the content is nested inside a section.

In the following graphic, the Maximum points for content field does not equal the sum of the Weight column. That is because the Maximum points for content field is the sum of all the scoring points in the base level. Both Weight and Importance are scoring points.



The Maximum points for content field in the previous graphic equals 7, and not 2, because there is a question at the base level, outside of any section, causing its Importance points to be added into the Maximum points for content field.

The Overall % of any piece of content is calculated in relation to other content in the same hierarchical location. Since there is a question at the base level, its Overall % is calculated in comparison to the Weight of the sections at the same level. The total number of scoring points assigned in that hierarchical location is 7, five of which belong to the question. So the Overall % of question 3 is 5/7, or 71.43%.

Place the question inside of Section 2, as shown in the following graphic, to cause the Maximum points for content to reset to 2. Then the Overall % of the question is calculated in the standard way.

Related Information

About Importance [page 121]About weight [page 120]


About scoring nested sections

If you nest sections inside of other sections, the resulting scoring can produce unexpected results because sections nested within other sections are not scored with their parents.

For example, in the following graphic, Section 2 is nested inside of Section 1. The weight points of Section 2 do not count towards the Maximum points for content field since they are not located in the base level. Only the weight points of Section 1 are located in the base level.

The event or survey document indents Weight fields to illustrate the hierarchical scoring structure. For example, since Section 1 is the only content located in the base level, it contributes all of the scoring points to that level and receives an Overall % of 100%. Likewise with Section 2. It is the only content nested within Section 1 and contributes all of the scoring points to that level, causing it to receive all of Section 1’s Overall %.

How to add scoring to the engagement request inherent risk screening questionnaire

Adding pre-grades to questions with defined or quantifiable answers and, in percentage-based scoring, weight to sections in a survey document allows the questionnaire to calculate numerical scores based on respondent answers.

Prerequisites

You must be a member of the Template Creator group to edit the engagement request inherent risk screening questionnaire survey document in the control-based engagement risk assessment project template.

Context

In control-based engagement risk assessment projects, the only questionnaire that supports scoring is the engagement request inherent risk screenings questionnaire.



You can use either percentage-based or point-based scoring in the questionnaire. The scoring system you choose depends on your requirements [page 119] for scoring. Point-based scoring uses only question pre-grades [page 123] to calculate section and overall questionnaire scores. Percentage-based scoring uses question pre-grades together with question importance and section weight [page 120] to calculate section and overall questionnaire scores. Before you start scoring a questionnaire, it is important to understand how pre-grades and scoring points work.

The engagement request inherent risk screening questionnaire does not currently use a Target Grade value.

Procedure

1. Open the control-based engagement risk assessment project template. If it is not in Draft, create a new version.

2. On the Documents tab, click the inherent risk screening questionnaire survey document and choose Edit.3. Click Rules.4. In the Bidding Rules area, choose one of the following options on the Choose Scoring Type dropdown menu:

○ To use percentage-based scoring, choose Percentage Based Scoring.○ To use point-based scoring, choose Point Based Scoring.

In both cases, choose Delegated scoring.5. Click Content.6. On the Display dropdown menu, choose one of the following options: Scoring.

○ If you are using percentage-based scoring, choose Scoring.○ If you are using point-based scoring, choose Point Based Scoring.

The Content table shows scoring-related fields.7. Pre-grade [page 123] possible answers to questions with defined answers, such as number, date, multiple

choice, or Yes/No questions, by performing the following actions:a. In the Pre-grade column, choose Yes from the dropdown menu.b. For multiple choice and Yes/No questions, select a pre-grade percentage value from 0-100 for each

available answer. For number and date questions, enter values in one, two, or all of the From, Ideal, and To fields to define the pre-grading for a range of possible answers.

8. If you are using percentage-based scoring, enter a Weight value [page 120] for each section you want to contribute to the questionnaire score calculation. Sections with a weigh of 0 do not contribute to scores.

TipThe values you specify for section weights can be any numbers, but using numbers that add up to a total of 100 makes it easier to determine how your weight and importance settings contribute to the overall score calculation for the questionnaire.

9. If you are using percentage-based scoring, choose an Importance value [page 121] of 1-10 for each question you want to contribute to the questionnaire score calculation, with 10 being the highest importance. Questions with an importance of 0 do not contribute to scores.

10. Click Update at any time to recalculate the Overall % for the current scoring configuration.11. When you have finished adding scoring to the questionnaire, click Exit, then click Save and then exit.


Results

Once you publish the new version of the template and a requester submits an engagement request, the inherent risk screening questionnaire automatically calculates a numerical score based on your settings. A site configuration parameter translates the numerical score into an inherent risk rating, which shows on the engagement page.

Related Information

Setting up inherent risk ratings for control-based engagement risk assessment projects [page 117]Point-based scoring versus percentage-based scoring [page 119]

Setting up phases and tasks for control-based engagement risk assessment projectsThe control-based engagement risk assessment workflow is defined by a specific pattern of phases and tasks on the Tasks tab of the project template. To set up the project workflow, you must add tasks and phases to the template.

Control-based engagement risk assessment projects use the following six phases with tasks that define the project workflow:

● Request Approval [page 131] (required)● Trigger Evidence and Control Process [page 131] (required)● Evidence Collection [page 132] (required)● Risk Control Effectiveness Review [page 132] (required)● Project Approval [page 133] (required)● Post Project Approval [page 133] (optional)● Project Archiving [page 134] (required for the advanced archiving workflow))

Note● The default Supplier Risk Engagement Template project template does not include any tasks or phases.

You must add them when setting up the template.● The Supplier Risk Engagement Template project template only supports the use of these specific phases,

and only supports approval and To Do with specific settings in some of these phases. It is important to pay attention to both the general restrictions and requirements [page 112] for phases and tasks in this template and the specific restrictions and requirements for tasks in each phase.

For general information on working with phases and approval and To Do tasks, see the Project Template Guide and Managing projects, teams, documents, and tasks, keeping in mind the following tips:

● Workflow order for phases in control-based engagement risk assessment projects is defined by the Choose where the tasks in this phase should be applied setting. Do not use predecessors for these phases.

● Workflow order for tasks in control-based engagement risk assessment projects is defined by predecessors in most cases. It is never related to the display order of the tasks on the Tasks tab in the project template.



● Approval tasks in control-based engagement risk assessment projects support the ability for requesters or a member of the Supplier Risk Engagement Governance Analyst to add ad hoc approvers after the request is submitted rather than using an approval flow defined in the template task. To enable this ability, add the approval task but keep its approval flow empty.

The Request Approval phase

The Request Approval setting in this phase defines it as the first phase in the control-based engagement risk assessment workflow and associates it with the engagement request. A phase with this setting is required for the proper functioning of the control-based engagement risk assessment workflow. Use it to define the approval flow for the engagement request and any related tasks.

The Request Approval phase must include at least one approval task on one of the engagement request survey documents. Adding engagement request approval tasks on the inherent screening questionnaire is recommended, since the approval task details page then shows the answers to both engagement request questionnaires to approvers.

If you do not want to require approval for the request, create one approval task and set it to auto-approve.

In addition to the required approval task, you can add other approval tasks to this phase, associated with either the engagement request or with supplemental engagement questionnaires. You can also add To Do tasks to this phase, either as standalone tasks, associated with the engagement request, or associated with any supplemental engagement questionnaire survey documents in this phase.

The first task in the workflow for this phase must have no predecessor. After that, chaining together all of the tasks in this phase as predecessors in workflow order ensures the correct display of the process flow graph on the engagement page and the timely activation of each task when its predecessor is completed. There are some additional configuration requirements for some tasks in some phases. Specify no predecessor for the first workflow task in this phase, specify the first workflow task as the predecessor of the second workflow task in this phase, and so on.

There are also specific requirements [page 134] for To Do and approval tasks on supplemental engagement questionnaires.

The Trigger Evidence and Control Process phase

The Trigger Evidence and Control process setting in this phase defines it as the second phase in the control-based engagement risk assessment workflow, where the responsible user sends invitations to fill out or update the modular supplier management questionnaires associated with all of the required controls that are not currently marked as effective. A phase with this setting is required for the proper functioning of the control-based engagement risk assessment workflow. Use it to define the To Do task for sending assessments and any related tasks.

The Trigger Evidence and Control Process phase must include exactly one To Do task that is standalone (not associated with a document). That configuration identifies it as the task that triggers sending assessment questionnaires to recipients. To activate correctly, the send assessments To Do task must have the previous task in the project workflow as a predecessor.

In addition to the required To Do task for sending assessments, you can add other To Do and approval tasks on supplemental engagement questionnaires to this phase. Chaining together all of the tasks in this phase as


predecessors in workflow order ensures the correct display of the process flow graph on the engagement page and the timely activation of each task when its predecessor is completed. Specify the last workflow task in the Request Approval phase as the predecessor to the first workflow task in this phase, specify the first workflow task in this phase as the predecessor of the second workflow task in this phase, and so on.

There are specific requirements [page 134] for tasks on supplemental engagement questionnaires.

The Evidence Collection phase

The Evidence Collection setting in this phase defines it as the third phase in the control-based engagement risk assessment workflow, where questionnaire recipients fill out or update and submit their questionnaires and, if applicable, approvers approve their answers. A phase with this setting is required for the proper functioning of the control-based engagement risk assessment workflow. This phase and the following Risk Control Effectiveness Review phase are typically active in parallel for at least part of the project workflow.

Do not add any tasks to this phase. This phase must always remain empty.

When send assessments To Do task in the previous Trigger Evidence and Control Process phase completes, the control-based risk assessment project automatically generates a task of the specialized type External in this phase for each sent assessment questionnaire. Users do not complete these tasks manually, and they are only visible in the advanced view of the project. Once a new or updated assessment questionnaire is submitted and approved, the associated external task completes automatically.

For more details on the automatically generated questionnaire tasks in this phase, see Understanding the components of the control-based risk assessment process [page 106].

The Risk Control Effectiveness Review phase

The Evidence Collection setting in this phase defines it as the fourth phase in the control-based engagement risk assessment workflow, where control decision makers review the questionnaires for their assigned controls and mark the controls and effective and ineffective. A phase with this setting is required for the proper functioning of the control-based engagement risk assessment workflow. This phase and the preceding Evidence Collection phase are typically active in parallel for at least part of the project workflow.

Do not add any tasks to this phase. This phase must always remain empty.

When the send assessments To Do task in the previous Trigger Evidence and Control Process phase completes, the control-based risk assessment project also automatically generates a task of the specialized type External in the Risk Control Effectiveness Review phase for each open control. After that point, control review tasks become active when their associated assessments are completed and the control decision makers can complete those review tasks as they become active.

For more details on the automatically generated control review tasks in this phase, see Understanding the components of the control-based risk assessment process [page 106].



The Project Approval phase

The Project Approval setting in this phase defines it as the final required phase in the control-based engagement risk assessment workflow, where approvers finally approve or deny the engagement risk assessment project. A phase with this setting is required for the proper functioning of the control-based engagement risk assessment workflow.

The Project Approval phase must include at least one approval task on the Supplier Risk Engagement Template workspace itself.

In addition to the required approval task, you can add other approval tasks to this phase, associated with either the Supplier Risk Engagement Template workspace or with supplemental engagement questionnaires. You can also add To Do tasks to this phase, either as standalone tasks or associated with any supplemental engagement questionnaire survey documents in this phase.

In addition to the required approval task, you can add other approval or To Do tasks to this phase, either as standalone tasks, associated with project template or associated with supplemental engagement questionnaires. Chaining together all of the tasks in this phase as predecessors in workflow order ensures the correct display of the process flow graph on the engagement page and the timely activation of each task when its predecessor is completed. The first approval task in this phase starts automatically when all of the external tasks for risk control reviews in the previous Risk Control Effectiveness Review phase have completed. However, making the last task in the Evidence Collection phase the predecessor of the first workflow task in this phase ensures the correct display of tasks in the process flow on the engagement page. Specify the last workflow task in the Evidence Collection phase as the predecessor to the first workflow task in this phase, specify the first workflow task in this phase as the predecessor of the second workflow task in this phase, and so on.

There are specific requirements [page 134] for tasks on supplemental engagement questionnaires.

NoteApprovers and members of the Supplier Risk Engagement Governance Analyst group can resubmit a denied approval on the engagement risk assessment project in this phase as long as the approval task is not the final task in the phase. If it is the final task in the phase, once the project approval is denied, the phase closes and the approval can no longer be resubmitted. If you want to provide the resubmit option for the final project approval, add at least one task after it in this phase so that the phase remains open after the project approval is denied.

The Post Project Approval phase

The Post Project Approval setting in this phase defines it as an optional final phase in the control-based engagement risk assessment workflow, where task owners conduct post-approval activities. Unlike the first five phases, this phase is not required for the proper functioning of control-based engagement risk assessment projects, and your use of it is optional. To use it, you must add a phase with this setting to the template.

This phase must include at least one task. You can add standalone To Do tasks, or pairs of To Do and approval tasks on supplemental engagement questionnaire survey documents. Chaining together all of the tasks in this phase as predecessors in workflow order ensures the correct display of the process flow graph on the engagement page and the timely activation of each task when its predecessor is completed. The first phase in this task starts automatically after final approval. Do not make the last task in the Project Approval phase a predecessor of the first task in this phase.


For the specific requirements for setting up tasks on supplemental engagement questionnaires, see Setting up supplemental engagement questionnaires [page 134].

The Project Archiving phase

The Project Archiving setting in this phase defines it as the final phase in the control-based engagement risk assessment workflow, after the project approval and the optional post-project approval phase. This setting is only available if both the engagement archiving feature and its advanced archiving workflow are enabled in your site, in which case this phase is required for the proper functioning of the advanced project archiving workflow.

This phase must include at least one task. You can add standalone To Do tasks, or pairs of To Do and approval tasks on supplemental engagement questionnaire survey documents. The phase does not start automatically on the completion of the previous phase. Instead, it starts when a project owner or governance analyst requests archiving of a completed project on the engagement page. Therefore, do not make the last task in the previous phase a predecessor of the first task in this phase. Within the phase, however, you must chain together all tasks using predecessors.

You can use one or more supplemental engagement questionnaires in this phase for requesting and approving archiving of the project. As elsewhere in the engagement risk assessment project workflow, the To Do task that enables editing of a supplemental engagement questionnaire must be the predecessor of its approval task. If all approval tasks in the phase result are approved and all To Do tasks are completed, the completion of the phase results in the approval of the archiving and automatically enables the menu item that project owners and governance analysts use to archive the project. Denial of one approval task in the phase stops the workflow and results in denial of the archiving. Approval tasks on supplemental engagement questionnaires in this phase support the same behavior as in other phases, including ability to request additional information during approval and to resubmit approvals to change approval decisions.

Related Information

About the supplier risk engagement project template for control-based engagement risk assessment projects [page 111]Restrictions, requirements, and helpful hints for setting up the supplier risk engagement project template for control-based engagement risk assessments [page 112]The control-based engagement risk assessment process [page 103]

Setting up supplemental engagement questionnaires

You can create survey documents in the Supplier Risk Engagement Template to supplement the engagement request business details and inherent risk questionnaires and the separate modular supplier management questionnaire projects for assessment questionnaire projects.

Supplemental engagement questionnaires can serve any number of purposes, such as gathering information that is not directly related to risk assessments, tracking compliance, reporting on or monitoring aspects of the



engagement, or asking engagement stakeholders to confirm that they have performed tasks outside of SAP Ariba Supplier Risk. These questionnaires are a part of the control-based engagement risk assessment project itself.

The default survey documents included in the original deployment of the Supplier Risk Engagement Template are always the engagement request business details questionnaire and the engagement request inherent risk questionnaire. To add supplemental engagement questionnaires, add survey documents to the template and create questionnaire content in them.

Each supplemental questionnaire survey document must have a To Do task on the document. The To Do task provides the mechanism through which users edit and submit the questionnaire, so it is required. Only the owners of the To Do task can edit the questionnaire, and you can assign ownership either directly in the template or using buyer category assignments (the user matrix). If you want set up approval for the questionnaire as well, add an approval task to the survey document, make the To Do task its predecessor, and set it to start automatically when its predecessor completes. This configuration is required to ensure that when the To Do task owner submits the questionnaire and the To Do task completes, the approval task starts correctly.

You can put supplemental engagement questionnaire To Do tasks and their associated approval tasks in the following phases:

● Request Approval● Trigger Evidence and Control Process● Project Approval● Post Project Approval

Always put the To Do and approval tasks for the same questionnaire in the same phase. Do not put them in the Evidence Collection or Risk Control Effectiveness Review phases, which are reserved for automatically generated assessment and control review tasks only.

To Do and approval task pairs on supplemental engagement questionnaires include some specialized functionality. Keep in mind the following considerations when setting up these tasks:

● Unlike other To Do tasks, where the task owner who starts the task is the only one who can complete it, all owners of the To Do tasks on supplemental engagement questionnaires have access to it while it is active. Submitting the questionnaire automatically completes the task, but a task owner can also save an in-progress questionnaire, and other task owners can edit the most recently saved version until one of them submits the questionnaire. This behavior is true whether the owner is assigned directly or through membership in a project or global user group, and can allow multiple users to collaborate on answers.

● In addition to approval and denial, the approval tasks on supplemental engagement questionnaires also include an option for requesting more information. Requesting more information reopens the predecessor To Do task so that task owners can edit it again.

● Approvers and members of the Supplier Risk Engagement Governance Analyst group can resubmit a completed approval as long as its phase is still active. Resubmitting the approval restarts the approval task at the beginning of the approval flow. From there, approvers can request more information, restarting the predecessor To Do task as well.

Using predecessors to chain together the To Do and approval tasks on supplemental engagement questionnaires with the other tasks in the control-based engagement risk assessment workflow in workflow order ensures the correct display of the process flow graph on the engagement page and the timely activation of the To Do tasks that enable editing for supplemental engagement questionnaires.


Related Information

Setting up phases and tasks for control-based engagement risk assessment projects [page 130]

Supplier field mappings for control-based supplier engagement risk assessment projects

Survey document questions in control-based supplier risk engagement assessment project templates can include some specialized project-related field mappings. These mappings support important pieces of the engagement risk assessment workflow and are in some cases mandatory.

Field mapping Description

matrix.Categories Connects the mapped question's answer to your site's commodity master data. Only use this field mapping for questions with answer type Commodity.

In control-based engagement risk assessment projects, the initial business details questionnaire in the engagement request must contain a Commodity question with this mapping. Its answer sets the commodity attribute for the overall engagement risk assessment project, and that setting is used to:

● Dynamically add users to project groups using buyer category assignments (the user matrix).

● Add the questions that trigger specific controls to the following inherent risk questionnaire.

● Connect the question answer to the Commodity project field, which you can use to create visibility or project-level conditions.

matrix.Regions Connects the mapped question's answer to your site's region master data. Only use this field mapping for questions with answer type Region.

In control-based engagement risk assessment projects, the initial business details questionnaire in the engagement request must contain a Region question with this mapping. Its answer sets the region attribute for the overall engagement risk assessment project, and that setting is used to:

● Dynamically add users to project groups using buyer category assignments (the user matrix)


● Connect the question answer to the Region project field, which you can use to create visibility or project-level conditions.




matrix.Departments Connects the mapped question's answer to your site's department master data. Only use this field mapping for questions with answer type Department.

In control-based engagement risk assessment projects, the initial business details questionnaire in the engagement request must contain a Department question with this mapping. Its answer sets the department attribute for the overall engagement risk assessment project, and that setting is used to:

● Dynamically add users to project groups using buyer category assignments (the user matrix)


● Connect the question answer to the Department project field, which you can use to create visibility or project-level conditions.

project.Title Specifies that the question answer is the title of the project.

In both legacy and control-based supplier risk assessments, the projects created from the template are all named "<Name of engagement request survey document> by <name of requester>" by default unless you include a question with this mapping. In the case of control-based engagement risk assessments, you must add the mapped question in the initial engagement request business details questionnaire.

project.Owner Specifies that the question answer replaces the previous owner as the explicit project owner..

project.Outsourcing Connects the mapped question's answer to the Materiality project field. This mapping is only supported in a question with Yes/No answer type in the initial business details questionnaire in the engagement request in control-based supplier engagement risk assessment projects. You can use this mapped question to create project-level or visibility conditions to show or hide questionnaire content or create conditional approval flows.

project.Materiality Connects the mapped question's answer to the Materiality project field. This mapping is only supported in a question with Yes/No answer type in the initial business details questionnaire in the engagement request in control-based supplier engagement risk assessment projects. You can use this mapped question to create project-level or visibility conditions to show or hide questionnaire content or create conditional approval flows.



project.Criticality Connects the mapped question's answer to the Criticality project field. This mapping is only supported in a question with Yes/No answer type in the initial business details questionnaire in the engagement request in control-based supplier engagement risk assessment projects. You can use this mapped question to create project-level or visibility conditions to show or hide questionnaire content or create conditional approval flows.

project.reapprove Indicates that when editing an engagement request, any change in response for this question or attribute should always trigger re-approval of the engagement request. This mapping is relevant only if the self-service site configuration parameter Application.SR.Engagement.AllowAdvancedEditCancel is enabled.

question.<question ID> Defines a unique identifier for a question in the inherent risk screening questionnaire in the engagement request in control-based supplier engagement risk projects. The ID you define with this mapping is used to:

● Hide the question by default and show it only when the answers to the commodity, region, and department questions in the initial business details questionnaire map to the question ID in the engagement attribute mapping master data.

● Trigger the control or controls mapped to the question ID in the engagement control mapping master data.

For details on mapping master data, see Supplier risk data import.

NoteQuestions can have multiple mappings. Use commas (,) to separate multiple mappings for the same question. For example, if you want to define an ID for a question in the engagement request inherent risk screening questionnaire and also require reapproval of the engagement request if its answer changes, you can specify a mapping such as question.ID123,project.reapprove.

Related Information

Understanding the components of the control-based risk assessment process [page 106]Restrictions, requirements, and helpful hints for setting up the supplier risk engagement project template for control-based engagement risk assessments [page 112]Setting up the business details questionnaire in the engagement request [page 114]



Setting up the inherent risk screening questionnaire in the engagement request [page 116]

Topics about setting up modular supplier management questionnaires for control-based engagement risk assessments

About modular supplier management questionnaire project templatesModular supplier management questionnaire project templates define the processes by which your company gather and maintain discrete sets of related information, such as certificate information, qualification information, or risk assessments, about suppliers or engagement risk.

Unlike other supplier management projects, you create multiple modular supplier management templates in your site, one for each questionnaire. These templates all have the project type SM Modular Questionnaire.

Each modular supplier management project template must contain one questionnaire. You set a questionnaire type for it and specify the commodities, regions, and departments to which its questionnaire applies. You can also specify an expiration schedule for the questionnaire. This schedule is specific to the questionnaire itself, and operates independently of the expirations of any of the certificate questions it might contain.

Internal users with the appropriate permissions can create standalone external modular supplier management questionnaire projects outside of other supplier management processes by choosing Manage SM Modular Questionnaires on the dashboard and inviting one or more suppliers to fill out one or more questionnaires. During this process, they select from a list of available questionnaires; the list shows each questionnaire's type and the commodities, regions, and departments to which it applies. This process creates a modular supplier management questionnaire project for each selected questionnaire, for each invited supplier. The user who issues the invitation is the explicit project owner.

After an external modular supplier questionnaire project is finally approved, if either the same or a different internal user sends the same modular questionnaire to the same supplier again using Manage SM Modular Questionnaires , the existing project reopens and its tasks restart. The explicit project owner remains the original user who sent the questionnaire.

In sites that include SAP Ariba Supplier Risk, sending risk assessments for a control-based engagement risk assessment project also creates modular supplier management questionnaire projects for the required assessments, which can be either internal or external. In this case, the person who sends the assessments becomes the explicit project owner of the modular supplier management questionnaire projects created by their action. Sending assessments always creates new internal modular questionnaires, which are used once per engagement risk assessment project. It only creates external modular questionnaires for engagement risk assessment projects where the selected supplier does not already have a valid questionnaire from a previous engagement risk assessment project.

Unlike registration projects, which collect basic profile information in one project, modular supplier management questionnaire projects are designed to collect specific, limited sets of information, such as a certificate or set of


related certificates or information that is applicable to a specific risk area or domain. A supplier can have any number of external modular supplier management questionnaire projects. A supplier's external modular supplier management questionnaires and their associated tasks display on the Questionnaires tile in their 360° profiles; after a questionnaire is approved, any user who has permission to see the Questionnaires tile can see its answers. Internal modular supplier management questionnaires show on the engagement page of the control-based engagement risk assessment project in which they are created and are also visible to recipients in the To Do content item of their Home dashboard.

Modular supplier management questionnaire template survey documents include an Always open setting. If this setting is not enabled in an external questionnaire, once the final task is complete, the project closes. If it is enabled, the project stays open and suppliers can update an external questionnaire on a continuous basis. If you do not use phases for template tasks, all of the project's tasks are for new questionnaires; however, you can use phases to set up workflows for new questionnaires and questionnaire updates [page 152]. Internal modular supplier management questionnaires are used once per control-based engagement risk assessment project and never reopen.

Neither deployments of new solutions nor enablement of the modular supplier management feature in existing solutions creates a default modular supplier management project template. Instead, you create these templates [page 147] yourself.

Related Information

Restrictions, requirements, and helpful hints for modular supplier management questionnaire project templates [page 144]How to create a modular supplier management questionnaire project template [page 147]How to set up a modular supplier management questionnaire [page 149]How to set up separate workflows for new and updated modular supplier management questionnaires [page 152]

About modular supplier management questionnaires in control-based engagement risk assessment projects

When you set up modular supplier management questionnaire project templates to define the assessments for control-based risk assessment projects, there are some important considerations to keep in mind about specific template settings and configurations.

● Modular supplier management questionnaire template names [page 141]● Questionnaire type on the template Overview tab [page 141]● Approval tasks [page 141]● Commodity, region, and department [page 142]● Expiration schedules [page 142]● Reuse [page 143]● Other questionnaire settings [page 143]● Project group for internal questionnaire recipients [page 143]● Project ownership [page 144]



NoteSupplier-facing (external) modular supplier management questionnaires that are used as risk assessments in control-based engagement risk assessment projects can be reused between projects, and you can allow suppliers to update them on an ongoing basis. Internal modular supplier management questionnaires that are used as risk assessments in control-based engagement risk assessment projects are used once per risk assessment project, and recipients cannot currently edit them after the initial submission.

Modular supplier management questionnaire template names

When naming the template of a modular supplier management questionnaire that you plan to use in control-based engagement risk assessments, keep in mind that the template name becomes the name of the risk assessment questionnaires created from it. The engagement page includes a Risk Controls area that shows information about all of the engagement's required controls, including the control name (ControlName field in your site's risk control definition master data) and the name of the modular supplier management project template for the associated assessment questionnaire.

Questionnaire type on the template Overview tab

If your organization's processes include engagement risk assessment projects for engagements where a supplier is never specified, and where all of the assessment questionnaires are internal, a customer administrator in your organization must define a questionnaire type with the unique name SR Engagement Questionnaire Type. For internal assessments used in non-supplier-specific engagement risk assessment projects, on the Overview tab of the internal modular questionnaire project template, you must choose the questionnaire type that corresponds to that unique name on the Questionnaire Type dropdown menu. When the responsible user sends assessments for an engagement risk assessment project with no supplier selected, only internal assessments with this questionnaire type are sent. Internal assessments with other questionnaire types are not sent.

Approval tasks

In general, modular supplier management questionnaire project templates do not require an approval task on the template survey document [page 144]. However, if you do not add an approval task to the template, the questionnaire and any updates are automatically approved and associated control reviews start immediately after respondents submit their answers. The only opportunity to flag questionnaire answers as acceptable or unacceptable is during control review. If you do add approval or To Do tasks for new or updated questionnaires, or both, associated control reviews only start after all of the questionnaire tasks are complete and the questionnaire is approved. The options you use for individual questionnaire projects depend on whether or not you want to use those questionnaires in other supplier management processes and whether or not their answers require assessment by stakeholders outside of a risk control review in a control-based engagement risk assessment project.


Commodity, region, and department

Control-based engagement risk assessment projects do not use the Commodity, Region, and Department properties in modular supplier management questionnaire projects. Engagement attribute and control mappings and control definitions determine the commodities, regions, and departments for which a given modular questionnaire is applicable indirectly through the control with which it is associated. However, these properties are useful for standalone external modular questionnaires, and are required for their use in some other supplier management processes. To make sure that an external modular supplier management questionnaire is used consistently in these different contexts, you can set the template Commodity, Region, and Department properties to mirror the applicable values in your contol-based engagement risk assessment project master data.

If you plan to use buyer category assignments (the user matrix) [page 194] to dynamically add users to modular supplier management questionnaire project groups, those assignments are based on the Commodity, Region, and Department settings in the template, which are inherited by all projects created from it.

Expiration schedules

When you set up an external modular supplier management questionnaire template, you can set it to expire and specify an expiration schedule. The expiration settings are in the Supplier Management area of the template survey document rules. If the certificate management feature is enabled in your site, you can also specify that an external modular supplier management questionnaire itself expires when a certificate stored in it expires. Those settings are on the add or edit page for the relevant Certificate question. In either case, the external modular supplier management questionnaire project itself generates notifications to the supplier, prompting them to update the questionnaire, for both pending and past expirations.

Expiration schedules for external modular supplier management questionnaires in control-based risk assessment projects allow you to ensure that control effectiveness reviews are based on timely information. If your site uses the certificate management feature (available in sites that include SAP Ariba Supplier Lifecycle and Performance or SAP Ariba Supplier Information and Performance Management (new architecture)), setting its questionnaire to expire when a critical certificate expires ensures that the associated control reopens and required a new review when the certificate expires. Otherwise, individual certificate expirations do not reopen controls for review.

If an external assessment questionnaire mapped to a required control is expiring or has expired, and the control was previously effective for the supplier, the control reopens (is no longer effective and must be reviewed again). When the requester selects a supplier during request creation, the control no longer counts as Effective. When the task owner of the send assessments To Do task completes that task, the project generates external tasks for the expiring or expired questionnaire and any associated control reviews.

NoteThere is currently no way for recipients to update internal modular supplier management questionnaires after the initial submission. SAP Ariba recommends that you not set expiration schedules for internal questionnaires, since the recipient has no way to update a questionnaire after it expires and the questionnaire therefore remains stuck in Expired status.



Reuse

The Reuse? setting is ignored in modular supplier management questionnaire projects created as part of a control-based engagement risk assessment project.

Regardless of the Reuse? setting in an external modular supplier management questionnaire template, once an external modular supplier management questionnaire project is created as part of a control-based engagement risk assessment project, it can be reused in additional engagement risk assessment projects.

Regardless of the Reuse? setting in an internal modular supplier management questionnaire template, a new internal modular supplier management questionnaire project is always created in every control-based engagement risk assessment project where it is a required assessment, and the recipient must fill it out for that project.

Other questionnaire settings

In addition to expiration settings, be aware of how the following other settings in the Supplier Management area of the template survey document rules affect questionnaires used in control-based engagement risk assessment projects:

Setting Use in control-based engagement risk assessment projects

Is questionnaire required? This setting has no effect in control-based engagement risk assessment projects. If the answers in the engagement request trigger requirement for a control, and a modular questionnaire is defined as an assessment for that control, the questionnaire is always required in the control-based engagement risk assessment project.

Specify questionnaire type Set to External for external (supplier-facing) questionnaires and Internal for internal questionnaires.

Always open This setting only applies to external questionnaires. If you set it to Yes in an external questionnaire, the supplier can update their answers on an ongoing basis.

This setting is ignored in internal questionnaires. Internal questionnaire recipients can currently only edit the questionnaire once, when filling it out and submitting it for the first time.

Project group for internal questionnaire recipients

The only way to define specific recipients for internal modular supplier management questionnaires in control-based engagement risk assessment projects is by creating a project group named Internal Recipient, using that exact name, in the internal questionnaire project template. You can add individual users or system user groups to the Internal Recipient project group, or you can populate it dynamically using buyer category assignments (the user matrix). All members of the Internal Recipient project group receive the invitation to fill out the


assessment questionnaire. If you add a system user group to the Internal Recipient project group, all members of that group receive the invitation.

If the internal modular questionnaire project does not include any members in the Internal Recipient project group, or does not contain the Internal Recipient project group at all, the engagement risk assessment project owner becomes the recipient.

Once the internal assessment is sent, a recipient can change the recipient to any other internal user. Members of the Supplier Risk Engagement Governance Analyst group can fill out all internal assessments.

Project ownership

If a specific modular supplier management project has not been created before for a supplier, and the questionnaire is an assessment for a required control in a control-based engagement risk assessment project, the send assessments To Do task in the Trigger Evidence and Control Process phase automatically creates the modular supplier management questionnaire project with the user who completed the task as the explicit project owner as well as a member of the Project Owner group. Keep this circumstance in mind when setting up task ownership and approval flows in modular supplier management project templates for use in control-based engagement risk assessment projects.

Related Information

About modular supplier management questionnaire project templates [page 139]Restrictions, requirements, and helpful hints for modular supplier management questionnaire project templates [page 144]How to create a modular supplier management questionnaire project template [page 147]How to set up a modular supplier management questionnaire [page 149]How to set up separate workflows for new and updated modular supplier management questionnaires [page 152]

Restrictions, requirements, and helpful hints for modular supplier management questionnaire project templates

Modular supplier management projects function as standalone projects with a specific workflow, and include some specialized settings to facilitate that workflow. They require some specific configuration settings to function properly.

Restrictions

● Modular supplier management questionnaire project templates only supports one survey document. Do not add any other type of document, or more than one survey document, to them.



● External (supplier-facing) modular supplier management questionnaire project templates only support To Do and approval tasks. Internal modular supplier management questionnaire project templates for internal assessments in control-based engagement risk assessment projects only support approval tasks. Do not add any other type of task to them.

● Supplier management projects do not support commodity level restrictions in external questionnaires. Specifying the Allowed Commodity Level property on the template Overview tab does not restrict acceptable answers for suppliers choosing commodities in external questionnaires.

● Modular supplier management questionnaire project templates only support the use of phases in this configuration [page 152].

Requirements

● Each modular supplier management questionnaire project template must contain one survey document.● You must set the questionnaire type for each modular supplier management questionnaire project template

you create, and therefore your site must have questionnaire types defined for it. Your site's questionnaire types are defined using a master data import.

● For most uses, you must set the Commodity and Region properties for each modular supplier management questionnaire project template you create. If your site uses the business unit supplier management matrix enhancement feature, you must also set the Department property. Modular supplier management questionnaire projects are designed to apply to specific commodity, region, and department combinations in most cases.Supplier request, qualifications, disqualification, and preferred supplier management projects are created by submission of a questionnaire that can include commodity, region, and department questions. Standalone modular supplier management questionnaire projects, however, are created via invitation, before a questionnaire is submitted. The Commodity, Region, and Department properties in the project template therefore determine buyer category assignments for standalone modular supplier management questionnaire projects created outside of other supplier management processes.

● If you enable the Always open setting in the Supplier Management area of the template survey document's rules, the external modular supplier management questionnaire projects created from it reopen after every final approval, and suppliers can update their questionnaires on an ongoing basis. There is no need to configure phases in the template to support this update capability. However, without phases, the tasks in the template only apply to new modular questionnaires and all updates are automatically approved. To enable approval of questionnaire updates, you must set up phases and add separate tasks to them [page 152]. You can use these phases to define separate workflows for new external questionnaires and questionnaire updates.

Helpful hints

● Modular supplier management questionnaire projects do not require any tasks, including approval tasks. If you do not add an approval task on the project template survey document, the project is automatically approved when the respondent submits the questionnaire.

● Suppliers can have many external modular supplier management questionnaire projects; the project questionnaires and associated tasks display in separate Questionnaire and Task tables on the Questionnaires tile. Make sure that the names you give to tasks clearly associate them with the questionnaires to which they belong so that users can easily identify the associations on the Questionnaires tile.


● Modular supplier management projects are useful for collecting certificate information from suppliers. For specific guidance about setting templates up for certificate management, see the topic on setting up certificate management.

● For new questionnaires, the Due Date setting in the Timing Rules section of survey documents defines the amount of time the supplier contact has to fill out the questionnaire after the invitation is sent. If the supplier contact does not fill and submit the questionnaire in that time, the questionnaire closes and the supplier contact can no longer edit it. Reminding the supplier to fill out the questionnaire reopens it so that the supplier can fill out and submit it again. The default due date value is 30 days, but you can change that time period by editing the Due Date field in the questionnaire survey document.If you have set Always open to Yes for the questionnaire, once all of the tasks for a new questionnaire completed, it automatically reopens so that the supplier can submit updates. Depending on your site's configuration, the Due Date setting might also determine how long the questionnaire remains reopened for updates. For details, see Supplier form or questionnaire closing, reopening, and due dates [page 146].


● You can to include approver comments from approval tasks with the [TASK_COMMENT_TEXT] email token.

Related Information

About modular supplier management questionnaire project templates [page 139]How to create a modular supplier management questionnaire project template [page 147]How to set up a modular supplier management questionnaire [page 149]How to set up separate workflows for new and updated modular supplier management questionnaires [page 152]

Supplier form or questionnaire closing, reopening, and due dates

External (supplier-facing) questionnaires close when a supplier submits them and reopen under certain circumstances. The questionnaire due date always determines how much time a supplier has to fill out a new questionnaire before it closes, and might affect how long a supplier has to update a questionnaire after it reopens.

The timing rules of the template survey document for a supplier form or questionnaire include a Due date setting. It defines how much time a supplier has to fill out and submit a new questionnaire before it closes. The countdown to the due date starts when the supplier is invited to fill out the questionnaire.

The questionnaire closes either when the supplier has submitted the questionnaire or when the due date is reached, whichever comes first. When the questionnaire is closed, the supplier can no longer edit it.

The questionnaire reopens automatically when:

● An approver requests additional information during the approval process.● For external registration and qualification questionnaires, when a category or supplier manager reinvites a

supplier to fill out the questionnaire because the supplier did not respond to the previous invitation by the due date.



● For external modular supplier management questionnaires, when a category or supplier manager reminds a supplier to fill out the questionnaire because the supplier did not respond to the previous invitation by the due date.

● For registration questionnaires with new questionnaire and questionnaire update phases, when either the new questionnaire or a questionnaire update is approved.

● For modular supplier management questionnaires with Always open set to Yes, when either the new questionnaire or a questionnaire update is approved.

Once a questionnaire has reopened, the supplier can edit and resubmit it until it closes again. If you want a questionnaire to remain reopened indefinitely, use the Keep questionnaire reopened indefinitely setting. It keeps external questionnaires reopened indefinitely for only supplier registration and modular supplier management questionnaire projects.


If the Keep questionnaire reopened indefinitely setting is set to No, the amount of time a reopened questionnaire remains open is determined by the setting of the Application.AQS.RFX.ReopenIfClosedInterval parameter in your site. The default amount of time is 365 days, but your site might use a different number of days. If the setting for the parameter is 0, the amount of time a reopened questionnaire remains open is determined by the template survey document Due date setting instead. In this case, make sure that the due date you set for the questionnaire takes into account not just the expected response time for a new questionnaire but its expected update cycle. If the Keep questionnaire reopened indefinitely setting is set to Yes, the template ignores the Application.AQS.RFX.ReopenIfClosedInterval site parameter and remains reopened indefinitely.

After a questionnaire has closed, the only way to reopen it is for a user with permission to work in the advanced view of the project to manually monitor and reopen the questionnaire.

Modular supplier management questionnaires can expire, but questionnaire expiration is a status change that indicates the current validity of the questionnaire content. It is not related to whether or not the questionnaire is open or the questionnaire due date. An expiring or expired questionnaire that is set to always be open only closes if the supplier does not update it before it due date. Otherwise, it remains open until the supplier submits an update.

Related Information

How to create a supplier form or questionnaire [page 169]How to set up a modular supplier management questionnaire [page 149]

How to create a modular supplier management questionnaire project template

Every modular supplier management questionnaire is defined by a separate template, which specifies the type of questionnaire, its content, and its approval flow.


Prerequisites

You must be a member of the Template Creator and SM Questionnaire Manager groups to create modular supplier management questionnaire templates.

Questionnaire types must be defined in your site's master data.

The Department attribute in modular supplier questionnaire templates is only used in sites with the business unit supplier management matrix feature enabled. Otherwise, it is ignored.

Context

You must set the Questionnaire Type attribute for each modular supplier management questionnaire template you create. A customer administrator defines the questionnaire types in your site using master data import.

You can also set the template's Commodity, Region, and Department attributes so that projects created from it are applicable to a specific commodity, region, and department combination.

Do not set access control or apply conditions to modular supplier management questionnaire templates. Since users do not explicitly create projects from them, access control or condition settings might interfere with the workflow by which users select the questionnaires and send them to suppliers.

Procedure

1. On the dashboard, choose Manage Templates .

2. On the Documents tab of the Templates area, choose Actions Create Template .3. For project type, choose SM Modular Questionnaire.4. Click OK.5. Enter a name and optional description for the new template. Template names can have a maximum of 255

characters and cannot contain these special characters: \ / : ? “ < > | # + % &.

6. Choose a language from the Base Language dropdown menu. The base language is the language in which you plan to author the template's content and is shown to its users by default unless you provide translations.

7. Click OK.

The new template opens on the Overview tab. It is in Draft status.

8. In the Properties area, choose Actions Edit Properties .9. Set the type for the modular supplier management questionnaire by performing the following actions:

a. For Questionnaire Type, click the dropdown menu, then choose Search more.b. Click Select for one of the questionnaire types defined in your site, then click Done.

10. (Optional) Repeat the previous step to set specific values for Commodity, Region, and Department. If you do not specify specific values, the questionnaire is available for all commodities, regions, and departments.

11. Click Save.



Next Steps

Set up the template's modular supplier management questionnaire [page 149].

How to set up a modular supplier management questionnaire

Setting up a modular supplier management questionnaire involves creating a survey document and specifying settings for how it is used.

Prerequisites

You must be a member of both the Template Creator and SM Questionnaire Manager groups to edit and publish modular supplier management questionnaire templates.

Context

The properties of the modular supplier management project template [page 147] to which you are adding a questionnaire specify a combination of commodities, regions, and departments. The questionnaire that you set up is designed to hold content that is applicable to that combination.

In general, modular supplier management questionnaire survey documents support the same types of content and question answer types as the survey documents in other supplier management project templates, including the use of visibility and editability conditions, supplier database field mapping, sensitive data masking, and other settings. However, since one of the purposes of these questionnaires is to collect certificate information from suppliers, questions of answer type Certificate in modular supplier management questionnaire project templates have specialized settings to support certificate management.

NoteTemplate survey documents contain a number of settings (supplier eligibility criteria, definitions, participants, and so forth) that are not relevant to modular supplier management processes. These settings are ignored in modular supplier management questionnaire projects. Only the timing rule and supplier management settings on the survey's Rules page and the content on its Content page are used in modular supplier management questionnaire projects.

Timing rules in modular supplier management questionnaires determine how much time a recipient has to fill out and submit the form or questionnaire after being invited to do so. For external questionnaires, if you specify Yes for the Always open setting in the supplier management rules, once the questionnaire is approved, it automatically reopens so that the supplier can update it. If you specify Yes for the Keep questionnaire reopened indefinitely setting in the timing rules, the reopened external questionnaire will remain open indefinitely.


Procedure

1. Open the supplier modular supplier management questionnaire template. If it is not in Draft, create a new version.

2. Click the Documents tab.

3. Choose Actions Create Survey .4. In the Title field, enter a descriptive title for the questionnaire.

TipModular questionnaire titles display in lists of questionnaires that category and supplier managers can send to suppliers and in the 360° profiles of suppliers who have been invited to fill them out, so make sure that the title you give the questionnaire identifies its purpose clearly.

5. (Optional) In the Description field, enter descriptive information about the survey. This information is only visible in the template.

6. For Test Event, choose No.7. Choose a language from the Base Language dropdown menu. The base language is the language in which you

plan to author the survey's content, and is shown to its users by default unless you provide translations.8. Click Create.9. On the questionnaire's Rules page, navigate to the Supplier Management rules and perform the following

actions:

For this setting... Choose...

Specify questionnaire format Form to create a questionnaire with an unnumbered list of questions, or Questionnaire to create a questionnaire with numbered questions.

Is questionnaire required? Yes.

NoteThis setting is ignored in questionnaires created in SAP Ariba Supplier Risk control-based engagement risk assessment projects.

Specify questionnaire type Specify External for questionnaires that suppliers fill out, or Internal for questionnaires that stakeholders in your organization fill out. Currently, internal modular supplier management questionnaires are only supported in SAP Ariba Supplier Risk control-based engagement risk assessment projects.

Reuse Yes if you want to be able to reuse the questionnaire in other supplier management processes in the future, or No if you want the questionnaire to exist only as a standalone questionnaire.



For this setting... Choose...

NoteCurrently, Rozwiązania SAP Ariba Supplier Management do not support reusing modular questionnaires in other supplier management processes such as qualification or performance management. However, this functionality is planned for a future release. SAP Ariba Supplier Risk ignores this setting.

Always open Yes to automatically reopen the external questionnaire for supplier updates after approval, or No to permanently close the questionnaire after the initial approval or denial.

If you are creating the questionnaire to collect certificate information, always choose Yes so that suppliers can always update their certificate information. If you set the questionnaire to expire, it is also useful to keep it open so that the supplier can update an expiring or expired questionnaire. Otherwise, once it expires, it remains permanently expired.

Can expire? Yes if you want the questionnaire to expire on a specific date; otherwise No.

If you choose Yes, set the expiration schedule and the amount of time before expiration that email reminders are sent to the supplier contact who submitted the questionnaire. You also have the option of sending expiration notifica-tions to the supplier's primary supplier manager and to the members of the questionnaire's Project Owners group.

If a questionnaire project created from this template is approved, its status changes to Expiring or Expired based on the reminder and expiration date settings in the expiration schedule.

These expiration settings apply to the questionnaire itself. If you add certificate questions to the questionnaire, each of them also has its own expiration date, and each certificate expiration also generates notifications. A setting in certifi-cate questions allows you to base the questionnaire project's Expiring and Expired status on the expiration schedule for the certificate rather than the questionnaire.

10. In the Timing Rules area, perform the following actions:

○ (Optional) Edit the default due date. The due date affects how long new questionnaires remain open. It does not affect how long reopened questionnaires remain open. You can also enable reminders to the supplier as the due date approaches.

○ If you set Always open to Yes, choose a setting for Keep questionnaire reopened indefinitely. Choose Yes to keep an external questionnaire reopened indefinitely.

For details, see Supplier form or questionnaire closing, reopening, and due dates [page 146].


11. In the navigation pane on the left side of the page, click Content.12. Add questions and other content to the questionnaire as needed.13. Click Exit to save your changes and exit the survey document.

Next Steps

After you have created the questionnaire survey document:

● (Optional) Create at least one approval task for it and configure the approval flow. If you do not create an approval task with an approval flow, modular supplier management questionnaire projects created from the template are automatically approved when the respondent submits the questionnaire. You can also create multiple approval tasks for the questionnaire and chain them together as predecessors. If you do not use phases, the approval tasks in the project template apply only to new questionnaires, and questionnaire updates are always auto-approved.

● (Optional) Create one or more To Do tasks for the survey document. If you do not use phases, the To Do tasks in the project template apply only to new questionnaires.

● Create new questionnaire and questionnaire update phases [page 152] to apply approval and To Do tasks separately to new questionnaires and questionnaire updates.

● Publish the modular supplier management project template.

Related Information

About modular supplier management questionnaire project templates [page 139]Restrictions, requirements, and helpful hints for modular supplier management questionnaire project templates [page 144]How to create a modular supplier management questionnaire project template [page 147]How to set up separate workflows for new and updated modular supplier management questionnaires [page 152]About modular supplier management questionnaires in control-based engagement risk assessment projects [page 140]Supplier form or questionnaire closing, reopening, and due dates [page 146]

How to set up separate workflows for new and updated modular supplier management questionnaires

Modular supplier management questionnaire projects support the use of two phases to apply separate approval and To Do tasks to new questionnaires and questionnaire updates. Questionnaire updates are automatically approved unless the project template includes an approval task in the update phase.



Prerequisites

To add phases and tasks in a modular supplier management project template, you must be a member of the Template Creator and SM Modular Questionnaire Manager groups.

Context

Each modular supplier management questionnaire project template requires at least one approval task. If you use phases, it must be in the new questionnaire phase.

Suppliers can always update modular questionnaires set to Always Open, but tasks only apply to updates if they are in an update phase or if a user re-sends the same questionnaire to the same supplier. If the modular questionnaire project template does not use phases, its tasks apply only to new or re-sent questionnaires; once a new or re-sent questionnaire is approved and the project's tasks are completed, updating the questionnaire does not restart them. If you want to apply tasks to questionnaire updates, including approval tasks, you must create a new questionnaire phase and a questionnaire update phase and add tasks to each phase to define separate workflows and approvals for the different stages of the questionnaire's lifecycle.

Modular supplier management project templates support phases with special New Questionnaire and Questionnaire Update settings to control the order in which the phases start and whether the tasks in the phase are one-time-only (for new questionnaires) or recur (for every questionnaire update). The New Questionnaire phase starts one time, immediately when the supplier is invited to fill out the questionnaire. The Questionnaire Update phase starts again every time supplier updates the modular questionnaire.

Within the new questionnaire and questionnaire update phases, you add separate approval and To Do tasks on the same questionnaire survey document to define the workflows for new and updated questionnaires. For example, you can set up an approval task with a full approval flow involving all relevant stakeholders in the new questionnaire phase, and an approval task with a more streamlined approval flow in the update phase. The order in which tasks appear in a phase does not affect the order in which they start. When the phase starts, all of its tasks automatically start unless they are predecessors of other tasks. You can chain the tasks in a phase together as predecessors to define the order in which they start and create a workflow.

When setting up modular questionnaire phases and their tasks, keep in mind the following considerations:

● You can only add two phases to modular supplier management questionnaire projects: one with the New Questionnaire setting and one with the Questionnaire Update setting. These phases do not use the Subscribe For, Rank, or Predecessor settings; the new questionnaire phase automatically precedes the questionnaire update phase.

● Make sure that all of the template tasks are inside either the new questionnaire phase or the update questionnaire phase. If you use these phases in a modular supplier management project template, adding tasks outside of them is not supported.

● Make sure that the tasks you specify as predecessors are within the same phase. Do not make tasks in one phase predecessors of tasks in a different phase.

● You cannot apply conditions to modular supplier management questionnaire tasks or phases themselves.

For details on adding tasks and phases to project templates, see Managing Projects, Teams, Documents and Tasks and the Project Template Guide, keeping in mind the limitations on tasks and phases in modular supplier management project templates.


Procedure

1. Open the modular supplier management questionnaire project template. If it is not in Draft, create a new version.

2. Click the Tasks tab.3. Create a phase for new questionnaires by performing the following steps:

a. Click Action Create Phase .

The Create Phase page opens.b. Enter a name for the phase, such as New Questionnairec. Check only the New Questionnaire option.d. Make sure that Recurring Schedule is set to No so that the tasks in the phase are used only once, when

the questionnaire is first submitted.e. Click OK.

The new phase, indicated by the unstarted phase icon (), appears on the Tasks tab.4. If you have not already done so, add the required approval task, plus any additional approval and To Do tasks

you want to use for new questionnaires, and make sure that they are located inside the new questionnaire phase. On the Tasks tab, you can move tasks into phases using drag and drop.

5. Create a phase for questionnaire updates by performing the following steps:

a. Click Action Create Phase .

The Create Phase page opens.b. Enter a name for the phase, such as Questionnaire Updatesc. Check only the Questionnaire Update option.d. Make sure that Recurring Schedule is set to No so that the tasks in the phase are used only once, when

the questionnaire is first submitted.e. Click OK.

The new phase, indicated by the unstarted phase icon (), appears on the Tasks tab.6. Add any approval tasks and To Do tasks you want to use for questionnaire updates, and make sure that they

are located inside the questionnaire update phase.7. After you have finished setting up the modular supplier management project template, publish it.

Results

When a category or supplier manager first invites a supplier to fill out a modular questionnaire, the new questionnaire phase starts. Final approval of the new questionnaire completes the new questionnaire phase. After that, every time recipient updates the questionnaire, the update phase starts again. Final approval of the questionnaire update completes that recurrence of the questionnaire update phase.

Related Information

About modular supplier management questionnaire project templates [page 139]



Restrictions, requirements, and helpful hints for modular supplier management questionnaire project templates [page 144]How to create a modular supplier management questionnaire project template [page 147]How to set up a modular supplier management questionnaire [page 149]

Topics about setting up issue management projects for engagement risk assessments

The issue management process for risk controls and control-based engagement risk assessment projects [page 155]

The legacy engagement risk issue management process [page 157]

About the issue management project template [page 158]

Restrictions, requirements, and helpful hints for setting up the issue management project template [page 159]

Setting up residual risk based on issue probability and severity in control-based engagement risk assessment projects [page 162]

Customizing the issue page [page 163]

Setting up access control for editing sections of the issue form [page 164]

Tasks and phases in the default issue management workflow [page 166]

Suppliers field mappings for supplier engagement risk assessment issue management projects [page 167]

The issue management process for risk controls and control-based engagement risk assessment projectsIssue management is the process by which engagement requesters, control decision makers, and experts at your company raise, analyze, and resolve issues related to control-based engagement risk assessment projects and their required risk controls.

Engagement risk assessment project stakeholders can raise issues for the overall risk assessment project. Control decision makers can raise issues for specific controls during a control review. For example, a request approver who is concerned that the required controls may not address a potential additional risk can approve the request but raise an issue. Or during control review, a control decision maker might raise an issue to clarify some aspect of the control's potential effectiveness. Issues created for vendor- and service-level controls, and their residual risk ratings, are also automatically included in all engagement risk assessment projects that require the control and that include the same supplier (for vendor-level controls) or commodities (for service-level controls). That way, control decision makers have visibility into the issues that shaped previous decisions about control effectiveness in similar engagements.

The nature, severity, and probability of an issue and whether or not it has a satisfactory resolution are factors that control decision makers consider when reviewing a control and marking it as effective or ineffective for an engagement, and that approvers for the overall engagement risk assessment project consider when finally approving or denying the engagement. Depending on the issue management setup in your site, issue probability


and severity may also determine the residual risk rating of the issue. The residual risk rating of the engagement may in turn be defined by the highest residual risk of issues created for the current engagement or any shared issues created for the same vendor- or service-level controls in previous engagement.

The issue management process provides an automatic and auditable process for collecting all of the pertinent information about an issue and involving relevant experts in its analysis and resolution. It includes five stages:

1. Issue creation: a user becomes aware that there is a potential issue with a proposed engagement while the control-based engagement risk assessment project in progress, either for the engagement in general or for one of its required controls, and creates an issue in Draft status. The user who creates the issue might fill out most or all of the information for it, including specifying assignee, or might leave most of the issue's fields blank at this time. The Comments area is not yet available during issue creation.

2. Issue definition: the issue assignee (if there is one at this point) and owners of various issue definition tasks edit the issue to provide more detailed information, add comments, and complete their assigned tasks. The issue then moves from Draft to In Progress status.

3. Issue analysis: the assignee (if there is one at this point) and owners of various issue analysis tasks review the issue details, edit the issue to update or add information if necessary, add comments, and complete their assigned tasks. They might or might not propose resolutions at this stage. If the issue has not yet been assigned, they also specify a user who can resolve the issue as the assignee at this point.

4. Issue resolution: the assignee and owners of various issue resolution tasks review the issue information, edit it to propose or finalize its resolution, and complete their assigned tasks. If all of the information in the issue form has not yet been filled out by now, it is added and finalized at this point, including the final issue severity and probability.

5. Issue resolution acceptance: task owners complete any other assigned asks related to issue resolution acceptance and the approvers assigned to the issue review the resolution and finally approve it. The issue then moves from In Progress to Resolved or Request Denied status.

If the issue assignee team management feature is enabled and set up in your site and your issue management projects include an assignee project group, at any point between when the issue is created and when it is resolved, users with the appropriate permissions can add assignees to the issue from the issue page.

NoteMembers of the Project Owner project group in the issue management project and members of the Supplier Risk Engagement Governance Analyst global user group have permission to edit an issue. If issue management projects in your site include an assignee project group, members of that group can also edit an issue. If your site uses role-based access control in the issue form, members of these groups can only edit those sections of the issue form to which they have access. Neither task ownership nor access privileges by themselves grant permission to edit an issue.

Someone can become an issue assignee in any of the following ways:

● By creating the issue.● Through the project template.● By membership in the Project Owner group of the associated control-based engagement risk assessment

project. When someone creates an issue for an engagement risk assessment project, the current membership of its Project Owner project group is automatically copied to the issue assignee project group. This copy is a one-time operation at issue creation. There is no ongoing synchronization in membership between the engagement risk assessment Project Owner project group and assignee groups in its associated issue management projects.

● When someone with permission to edit the issue selects them as the assignee on the issue form.● When someone with the appropriate permissions adds them as an assignee teams member on the issue page.



Your site's issue management project template defines:

● The questions in the issue form.● Whether or not specific sections of the issue form have access control settings so that only users with specific

roles can fill out those sections of the form.● How some assignees are added to the issue, either through the template or using a question in the issue form.● The tasks in the issue management workflow and their owners.● Who is responsible for approving the issue resolution.

Master data in your site defines:

● The probabilities and severities you can specify for an issue.● Whether or not those probabilities and severities translate into a residual risk rating for the issue and the

associated engagement risk assessment project.

Related Information


The legacy engagement risk issue management process

Issue management is the process by which internal users, governance experts, and other stakeholders at your company raise, analyze, and resolve issues related to supplier or third-party engagement risk assessments.

NoteThe information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future enhancements are planned for them. Control-based engagement risk assessment projects include important improvements and will continue to add features. Customers with subscription order forms dated after the SAP Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use control-based engagement risk assessment projects.

The nature and severity of an issue, and whether or not it has a satisfactory resolution, is one of the factors that approvers of engagement risk assessment projects take into account when approving or denying an engagement. The issue management process provides an automatic and auditable process for gathering all of the relevant information about an issue and involving relevant experts and other stakeholders in its analysis and resolution. It includes five stages:

1. Issue creation: a user becomes aware that there is a potential issue with a proposed supplier or third-party engagement with an assessment project in progress, either with the entire engagement or with a specific engagement-level risk assessment, and creates an issue in Draft status. The user who creates the issue might fill out most or all of the information in the Issue details area, including specifying assignee, or might leave most of the issue's fields blank. The Comments area is not yet available during issue creation.

2. Issue definition: the issue assignee (if there is one at this point) and owners of various issue definition tasks edit the issue to provide more detailed information, add comments, and complete their assigned tasks. The issue then moves from Draft to In Progress status.


3. Issue analysis: the assignee (if there is one at this point) and owners of various issue analysis tasks review the issue details, edit the issue to update or add information if necessary, add comments, and complete their assigned tasks. They might or might not propose resolutions at this stage. If the issue has not yet been assigned, they also specify a user who can resolve the issue as the assignee at this point.

4. Issue resolution: the assignee and owners of various issue resolution tasks review the issue information, edit it to propose or finalize its resolution, and complete their assigned tasks. If the fields of the Inherent Issue Document area have not yet been filled out, they are finalized at this point.

5. Issue resolution acceptance: task owners complete any other assigned asks related to issue resolution acceptance and the approvers assigned to the issue review the resolution and finally approve it. The issue then moves from In Progress to Resolved or Request Denied status.

NoteThe issue creator has permission to edit the issues they have created. The issue assignee has permission to edit issues to which they are assigned. Members of the Supplier Risk Engagement Governance Analyst group have permission to edit any issue. Task ownership by itself does not grant a user permission to edit an issue.

Your site's issue management project template defines:

● The fields in the Inherent Issue Document area, which collect information about the issue.● The tasks in the issue management workflow and their owners.● Who is responsible for approving the issue resolution.

About the issue management project templateThe issue management project template defines the process by which internal users at your company raise, analyze, and resolve issues related to engagement risk assessment projects and their assessment questionnaires.

The project template must always contain one survey document with an associated approval task, and a specific configuration of phases and tasks [page 166].

Internal users with the appropriate permissions create issue management projects by choosing Action Create Issue either at the top of the engagement request page or next to a sent or previously sent engagement-level risk assessment in the Assessment Summary table.

By default, the user who creates the issue is a member of its Project Owner project group unless you specify different membership of that group in team member rules. If the issue assignee team management feature is enabled in your site, the user who creates the issue is added to the assignee project group instead.

The issue management project is designed to process the issues that users raise with a supplier or third-party engagement risk assessment project in general, or with a specific engagement-level risk assessment in one of those projects. The user who creates the issue provides information in a set of fields, some of which are included in every issue and some of which you can customize [page 163]. Internal stakeholders then complete various tasks to completely define the issue, analyze it, and resolve it. Approval of the resolution closes the issue.

The issue management process is a one-time process. Members of the Project Owners project group, assignees, and members of the Supplier Risk Engagement Governance Analyst group can edit those sections of the issue to which they have access up until the time that the first approver in the approval flow has approved or denied it. After that, the issue is no longer editable.

If the issue assignee team management feature is enabled in your site, the issue management project template must include a project group named Assignee, using that exact text. Members of the assignee project group



automatically have permission to edit any sections of the issue not restricted by access control. Users can become members of the assignee project group in one of the following ways:

● By creating the issue. By default, the user who creates an issue is added automatically to both the assignee and Project Owner project groups in an issue management project. If the self-service configuration parameter Application.SR.IssueManagement.AddAssigneeToAssigneeTeamOnly is enabled in your site, the user who creates an issue is only added to the assignee project group and is not added to the Project Owner group.

● Through the project template.● By membership in the Project Owner group of the associated control-based engagement risk assessment

project. When someone creates an issue for an engagement risk assessment project, the current membership of its Project Owner project group is automatically copied to the issue assignee project group. This copy is a one-time operation at issue creation. There is no ongoing synchronization in membership between the engagement risk assessment Project Owner project group and assignee groups in its associated issue management projects.

● When a user who has permission to edit the issue selects an answer to the assignee question, mapped to project.Assignee, on the issue form and submit the edit.

● When a user with the appropriate permissions adds assignee teams members on the issue page.

NoteThe issue management project feature is enabled by default in all sides. However, in sites deployed prior to the July 2018 release, SAP Ariba Customer Support must run the MigrateSRIssueWorkspacesTask scheduled task to add the issue management project template to your site.

Related Information

Restrictions, requirements, and helpful hints for setting up the issue management project template [page 159]Customizing the issue page [page 163]Tasks and phases in the default issue management workflow [page 166]

Restrictions, requirements, and helpful hints for setting up the issue management project template

Issue management projects use a specific workflow, and need some specific configurations to ensure that they fit successfully in that workflow.

Restrictions

● The issue management project template only supports one survey document for the inherent issue document. Do not add any other type of document to it, and do not add more than one survey document to it.

● The issue management project template only supports To Do, review, and approval tasks. Do not add any other type of task to it.


● Issue management projects are defined to include four phases, one for each stage of the workflow. Do not add any other phases to the template, and include the required settings in those phases.

Requirements

● All of the tasks in the issue management project template must be chained together as predecessors in the order in which you want to use them in your workflow. With the exception of the first task in the workflow, none of the tasks become active until their predecessors are completed. This requirement means that:○ The first task in your issue management workflow must be in the Issue Definition phase and cannot have

any predecessors. It becomes active automatically when a user creates an issue. If you add another task in the Issue Definition phase, it must specify that first task as a predecessor, and so on, so that all of the tasks in the phase are chained together as predecessors.

○ For the Issue Analysis, Issue Resolution, and Issue Resolution Acceptance phases, the first task in each phase must specify the last task in the preceding phase as a predecessor, and all of the tasks within a phase must be chained together as predecessors.

○ The last task in your issue management workflow must be in the Issue Resolution Acceptance phase and must not be specified as a predecessor of any other task.

Task order in the issue management workflow is defined solely by task predecessors; do not set any of the project template's phases as predecessors of tasks, or as predecessors of other phases.

● The template's default survey document includes default questions. The following default questions include specialized supplier field mappings that define their function in the issue management workflow:○ Title, mapped to project.Title

Issue Description, mapped to project.IssueDescriptionIssue Severity, mapped to project.IssueSeverityIssue Assignee, mapped to project.AssigneeDue Date, mapped to project.IssueDueDate

These questions with these field mappings are required for the proper functioning of the issue management workflow. You can edit the title or other supported settings of the questions, but they must be present in the issue management project template survey document.

● If you plan to use issue probability and severity to generate residual risk ratings for issues and their associated engagement risk assessment projects, you must also add a question for probability to the template survey document and import site master data for probabilities, severities, and residual risk mappings. See Setting up residual risk based on issue probability and severity in control-based engagement risk assessment projects [page 162] for details.

● To use the issue assignee team management feature, if it is enabled in your site, you must add a project group named Assignee, using that exact text, to the issue management project template. You can add members to this group in the template.

Helpful hints

For more information on working with phases and approval, To Do, and review tasks, see the Project Template Guide and Managing projects, teams, documents, and tasks.

When you set up the issue management project template in your site, keep the following considerations in mind:



● The default owner of all of the default issue management project template To Do tasks is the Project Owner project group. With this setting, the user who created the issue completes the To Do tasks until an assignee is specified. After that, the user specified as the assignee automatically becomes the owner of any To Do tasks that have not yet started. You can assign a different owner for any of all of the project's To Do tasks; however, keep in mind that the owners you assign might need to edit the issue to fulfill their roles in the workflow. For example, in the Issue Definition phase, the owner of the To Do task must be able to edit the issue to make sure that it has a complete description.Members of the Project Owner project group of an issue management project and users assigned to an issue can edit that issue; however, only members of the Supplier Risk Engagement Governance Analyst group can edit all issues.

● The default approver of the default approval task in the Issue Resolution Acceptance phase is also the Project Owner group, meaning that the user who created the issue can approve the resolution. You can specify other approvers for any approval tasks in the project template. Approvers must only be members of the Supplier Risk Engagement Governance Analyst group if you want them to be able to edit the issue. Otherwise, any user who is added as an approver to the issue can view it and complete the approval task.

● Issue management projects support the use of review tasks, which function somewhat like approval tasks: you create them on the issue management project survey documents, you can assign one or more individual users or project groups as reviewers in a flow, and the assigned reviewers can access the issue page even if they otherwise don't have that permission. You can use these tasks to let stakeholders review the issue without giving them approval power.

● The issue management process flow displays the titles of the tasks in the workflow as process nodes; keep that in mind when naming the project's tasks.

● Issue management projects support both independent To Do tasks and To Do tasks on the template's survey document. All of the default project template To Do tasks that define the default workflow are independent.

● When assigning tasks and creating review and approval flows, keep in mind that task ownership or assignment as an approver or reviewer does not grant a user permission to edit an issue by itself. Members of the Project Owner project group and assignees have permission to edit individual issues. Members of the Supplier Risk Engagement Governance Analyst group have permission to edit any issue.

● If the role-based editability for issue feature is enabled in your site, you can set up editing access control [page 164] for specific sections of the issue form. Keep in mind that access does not grant a user permission to edit the issue by itself. Members of the Project Owner project group and assignees have permission to edit individual issues. Members of the Supplier Risk Engagement Governance Analyst group have permission to edit any issue.

● You can modify the default values for the following settings in any issue management project template To Do task: Title, Description, Owner, Due Date, and Predecessors. Always set Allow auto complete to No, and do not apply conditions to these tasks. The other To Do task settings have no effect in issue management projects. Note that the owner you assign only owns the To Do task until an assignee is specified for the issue; after that, the assignee becomes the owner of all of the issue's unstarted To Do tasks.

● You can modify the default values for the following settings in any issue management project template approval or review task: Title, Description, Owner, Approvers, or Reviewers, Allow auto approve, approval flow, Due Date, and Predecessors. Do not apply conditions to these tasks. The other approval or review task settings have no effect in issue management projects. Note that the approval task owner can resubmit a denied approval task to restart the approval flow.

● As with the engagement request and engagement-level risk assessments, you can enable ad hoc approval. You can also enable ad hoc review. With issue management projects, if you specify an empty approval or review flow for the task, the project owner (rather than a member of the Supplier Risk Engagement Governance Analyst group) can add approvers or reviewers. An approval or review flow is empty when there are no nodes between the Submitted and Approved or Reviewed boxes in the flow editor.


● The base language of the issue management project template's default survey document is English, and therefore default content in that survey document is English. You can add translations [page 190] to that default content for users in non-English locales.


Related Information

About the issue management project template [page 158]Customizing the issue page [page 163]Tasks and phases in the default issue management workflow [page 166]

Setting up residual risk based on issue probability and severity in control-based engagement risk assessment projects

Setting up residual risk in control-based engagement risk assessment projects involves configuring severity and probability questions in the issue management project template and importing site master data to define how to classify risk for different combinations of issue severity and probability.

Residual risk refers to the risk that remains after the all of the risks associated with a supplier or third-party engagement have been identified, assessed, and settled. During the control-based engagement risk assessment process, the requester and various stakeholders can raise issues for it; control decision makers can also raise issues related to specific controls. Issues are typically aspects of the engagement that cannot be mitigated by standard risk controls, or for which controls are not sufficient for one reason or another. They therefore have a direct bearing on an engagement's residual risk. Based on mappings that you define in site master data, the combined probability and severity of an issue determine its residual risk, and the highest (most risky) level for all of the issues in an engagement determine the residual risk for the engagement itself. Users with the appropriate permissions can manually edit an engagement's automatically assigned residual risk to raise or lower it as circumstances require.

To set up residual risk in control-based engagement risk assessment projects, perform the following tasks:

● Import risk classification master data to define your site's system of classifying risk from lowest to highest risk. The names you assign to risk classifications in this data show in the Residual Risk field in the Issue details area of the issues page and the Engagement Summary area of the engagement page. For details on this master data, see Supplier risk data import.

● Import risk probability master data to define the levels of probability that users can assign to an issue. For details on this master data, see Supplier risk data import.

● Import risk severity master data to define the levels of severity that users can assign to an issue. For details on this master data, see Supplier risk data import.

● Import residual risk mapping master data to define the risk classification that applies to each combination of severity and probability. For details on this master data, see Supplier risk data import.



● Edit the issue management project template to include a question for severity and a question for probability in the survey document. If you are already using issue management projects, a question for severity might already be present. However, both severity and probability questions are required so that the issue can include the probability and severity upon which the residual risk is based. Both questions require the following settings:

Setting Value

Answer Type Text (single line limited)

Acceptable Values Master Data Values

Response Required? Yes, Participant Required

NoteThis requirement only applies if you want to generate a residual risk level for all of the issues in your site. If you make it optional, respondents can choose whether or not to answer, and that choice determines whether or not the issue generates a residual risk level..

Supplier field mapping project.IssueSeverity for the severity question and project.IssueProbability for the probability question.

Type of master data for answer Risk Severity for the severity question and Risk Probability for the probability question.

Customizing the issue page

The survey document issue management project template defines the custom fields that display in the Inherent Issue Document area of your site's issue page. You can customize this content in the template.

The default issue management project template includes a survey document called Inherent Issue Document that contains the following content:

● A text question named Title, mapped to project.Title. A question with this mapping is required. The answer to this question automatically becomes the name of the issue management project and shows in the issue header.

● A text question named Issue Description, mapped to project.IssueDescription, which shows in the issue header. A question with this mapping is required.

● A text question named Issue Severity, mapped to project.IssueSeverity, which shows in the issue header. A question with this mapping is required.

● A text question named Issue Probability, mapped to project.IssueProbability, which shows in the issue header.

● A User question named Issue Assignee, mapped to project.Assignee. A question with this answer type and mapping is required. The answer to this question automatically becomes the issue assignee and shows in the issue header.

● A text question named Issue Type.● A date question named Due Date, mapped to project.IssueDueDate. A question with this answer type

and mapping is required.


● A text question named Resolution Type with possible answers Unspecified, None, Remediate, No Action, and Defer.

● A date question named Resolution Date.● A text question called Resolution Description.● An attachment question named Mitigation Plan.

You can edit any of these questions, add other content to the survey document, and apply visibility conditions to it as you would any other supplier management form or question, as long as the required questions and mappings are present. You can delete any of the default questions that are not required.

NoteTo rate issue and engagement residual risk based on issue probability and severity, the issue page must include severity and probability questions with specific configurations [page 162]. Residual risk setup requires editing the default Issue Severity and Issue Probability questions.

Related Information

About the issue management project template [page 158]Restrictions, requirements, and helpful hints for setting up the issue management project template [page 159]Tasks and phases in the default issue management workflow [page 166]

Setting up access control for editing sections of the issue form

You can use access control settings in the survey document in the issue management project template to define which groups or roles have permission to edit specific sections of the issue form. Editability access control ensures that the correct stakeholders provide specific types of information about the issue.

By default, members of the Project Owners project group in the issue management project and members of the Supplier Risk Engagement Governance Analyst global user group have permission to edit the issue form. If your site uses an assignee project group in issue management projects, members of that group can also edit the issue form.

To restrict edit permissions for specific sections further using access control, a customer administrator in your site must enable the self-service configuration parameter Application.SR.IssueManagement.UseTeamAccessForReadOnly.

You can only apply editability access control to sections. Access control on individual questions, attachments, and requirements is not supported. If you apply editability access control to a section, only the users who have permission to edit the issue form and also access to that section can edit it. Editability access controls do not hide the section, however. Users who do not have access to a section can still see the section and its contents in the issue form as long as they have permission to view the issue.

The access control settings allow you to restrict editing permission for specific sections of the issue form to the following roles:



Role Description

Legal Information Members of the Legal global user group who also have permission to edit the issue.

Finance Information Members of the Finance global user group who also have permission to edit the issue.

Classified Members of the Classified Access global user group who also have permission to edit the issue. Depending on the solutions and features enabled in your site and its user group configura-tion, any or all of the following global user groups might also be members of the Classified Access group through inheritance:

● Contract Manager● Internal Contract Manager● Sales Contract Manager● Sourcing Manager● Procurement Manager

Owner/Administrator Only Members of the Project Owner project group, who always have permission to edit the issue.

Private To Team Members Members of the project team who also have permission to edit the issue, including members of the issue assignee project group.

Members of the issue management project assignee and Project Owner project groups automatically have permission to view the issue and can edit the sections to which they have been granted access. Members of global user groups such as Legal, Finance, or Classified Access do not automatically have permission to view or edit an issue just because the group has been granted edit access. To edit an issue, members of those groups must separately have edit permission through membership in the assignee or Project Owner project group for the issue management project or by belonging to the Supplier Risk Engagement Governance Analyst global user group.

TipBy default, the person who creates an issue is automatically added to the Project Owners project group. When the issue is assigned, the assignee is added automatically to the Project Owners project group. If you want to prevent, issue assignees from editing the issue definition, or any other section of the issue form that you want to reserve for the issue creator and other project owners, you can use the following setup:

● Enable the self-service parameter Application.SR.IssueManagement.AddAssigneeToAssigneeTeamOnly in your site.

● Create a project group named Assignee, using that exact text, in the issue management project template.● In the issue form, make sure that one or more sections enclose the issue definition, and any other content

that you want to reserve for the issue creator and other project owners, and set the access control for those sections to Owner/Administrator Only.

In this configuration, issue assignees are added only to the issue Assignee project group, and not to the Project Owner project group. The issue creator continues to be a member of the Project Owner group. Issue creators can therefore edit the issue definition and any other content restricted to project owners, but issue assignees cannot. You can also set access control for other content in the issue form, such as content related to analysis and resolution, so it is only editable by legal or financial stakeholders in the assignee project group but not by the creator or other project owners.


Tasks and phases in the default issue management workflow

The issue management workflow is defined by a specific pattern of phases and tasks on the Tasks tab of the project template.

The default issue management project template includes the following four phases with tasks that define a default workflow for issue management projects:

● Issue Definition [page 166]● Issue Analysis [page 166]● Issue Resolution [page 167]● Issue Resolution Acceptance [page 167]

You can use the default configuration, or customize the tasks in these phases.

NoteThe issue management project template only supports the use of these specific phases, and only supports approval, To Do, and review tasks with specific settings within them. It is important to pay attention to the restrictions, requirements, and helpful hints [page 159] for the issue management project template while setting up the phases and tasks that define its workflow.

For more information on working with phases and approval, To Do, and review tasks, see the Project Template Guide and Managing projects, teams, documents, and tasks.

The Issue Definition phase

The Issue Definition setting in this phase defines it as the start of the issue management workflow. When a user submits a new issue, this phase starts and its first task becomes active. In this phase, either the user who created the issue or a relevant stakeholder describes the issue in detail.

The default issue management project template includes one To Do task in the Issue Definition phase, with the Project Owner group as the default task owner.

The Issue Analysis phase

The Issue Analysis setting in this phase defines it as the second phase in the issue management workflow. In this phase, the assignee and other stakeholders analyze the issue based on the information provided in the Issue Definition phase.

The default issue management project template includes one To Do task in the Issue Analysis phase, with the Project Owner group as the default task owner and the To Do task in the Issue Definition phase as its predecessor.



The Issue Resolution phase

The Issue Resolution setting in this phase defines it as the third phase in the issue management workflow. In this phase, the assignee and other stakeholders propose a resolution for the issue.

The default issue management project template includes one To Do task in the Issue Resolution phase, with the Project Owner group as the default task owner and the To Do task in the Issue Analysis phase as its predecessor.

The Issue Resolution Acceptance phase

The Issue Resolution Acceptance setting in this phase defines it as the final phase in the issue management workflow. In this phase, one or more stakeholders approve or deny the resolution proposed in the Issue Resolution phase.

The default issue management project template includes one approval task on the template inherent issue survey document in the Issue Resolution Acceptance phase, with the Project Owner group as the task owner and default approver and the To Do task in the Issue Resolution phase as its predecessor.

Related Information

Restrictions, requirements, and helpful hints for setting up the issue management project template [page 159]About the issue management project template [page 158]

Suppliers field mappings for supplier engagement risk assessment issue management projects

Survey document questions in control-based supplier engagement risk assessment issue management project templates can include some specialized project-related field mappings. These mappings support important pieces of the issue management workflow and are in some cases mandatory.


project.Title Specifies that the question answer is the title of the project.

A question with this mapping is mandatory in the issue management project template survey document. Issues created from the template do not function correctly without this mapped question.



project.Description Specifies that the question answer is the description of an issue. This mapping is only supported in the survey document of the issue management project template, where a question with this mapping is mandatory for ensuring that issues created from the template function correctly.

project.IssueSeverity Specifies that the question answer is the issue severity. This mapping is only supported in the survey document of the issue management project template, where a question with this mapping is mandatory for ensuring that issues created from the template function correctly. The question with this mapping can also contribute to the residual risk rating [page 162] of issues and their associated control-based engagement risk assessment projects.

project.IssueProbability Specifies that the question answer is the issue probability. This mapping is only supported in the survey document of the issue management project template. It is only required if you want to generate residual risk ratings [page 162] for issues and their associated control-based engagement risk assessment projects.

project.Assignee Specifies that the mapped question's answer is the assignee for the issue. This mapping is only supported in a question with the User answer type in survey document of the issue management project template, where a question with this configura-tion is mandatory for ensuring that issues created from the template function correctly.

project.IssueDueDate Specifies that the mapped question's answer is the due date for the issue. This mapping is only supported in a question with the Date answer type in survey document of the issue management project template, where a question with this configura-tion is mandatory for ensuring that issues created from the template function correctly.

Related Information

Supplier field mappings for control-based supplier engagement risk assessment projects [page 136]



Topics about setting up other project elements for engagement risk assessment and related projects

Topics about adding content to a supplier form or questionnaire

How to create a supplier form or questionnaire [page 169]

Supplier form or questionnaire closing, reopening, and due dates [page 146]

How to add a section to a supplier form or questionnaire [page 172]

How to add a requirement to a supplier form or questionnaire [page 173]

How to add a question to a supplier form or questionnaire [page 174]

How to add an attachment to a supplier form or questionnaire [page 179]

Question answer types for supplier forms and questionnaires [page 180]

Using visibility conditions to show or hide content based on answers [page 183]

Topics with supplier management questionnaire content examples [page 187]

How to add translations for some form and questionnaire content fields [page 190]

How to create a supplier form or questionnaire

Forms are useful if you have a relatively small set of content, such as with a request. The content in forms is not numbered. Questionnaires are useful if you have a large set of content and want it to be numbered.

Prerequisites

You must be working with a new version of the template, so that the template itself is open for editing, to edit an existing survey document or create a new one.

Context

NoteTemplate survey documents contain a number of settings (supplier eligibility criteria, definitions, participants, and so forth) that are not relevant to supplier management processes. These settings are ignored in supplier


management projects. The timing rule and supplier management settings on the survey's Overview page and the content on its Content page are used in supplier management projects.

Timing rules for template survey documents are used in supplier-facing questionnaires; they are ignored in internal questionnaires. The Due date setting in the template survey document's timing rules determines how much time a supplier has to fill out and submit the form or questionnaire before it closes. The Keep questionnaire reopened indefinitely setting keeps external questionnaires reopened indefinitely for supplier registration and modular supplier management questionnaire projects.

Procedure

1. On the dashboard, click Manage Templates .2. On the Documents tab of the Templates page, expand the folder for the template you want to work with to see

its contents.`3. Click the template and choose Open.4. Click the Documents tab of the template project.5. Click the template's survey document and choose Edit.6. On the Rules page, in the Timing Rules area, perform the following actions:

a. For Response start date, choose When I Click the Publish button on the Summary page.

In supplier management projects, this setting specifies that the amount of time the respondent has to fill out the form or questionnaire is counted starting when the project is created. Do not schedule the survey for the future. Supplier management forms and questionnaires are not designed to work with that setting.

b. For Due Date, choose Duration and specify a duration in days, such as 30 days.

The countdown to the due date starts when the invitation to fill out the questionnaire is sent to the supplier. For details about the due date setting, see Supplier form or questionnaire closing, reopening, and due dates [page 146].

c. Specify Delegated where that option is offered.d. Set the Keep questionnaire reopened indefinitely setting where that option is offered.

The Keep questionnaire reopened indefinitely setting affects external registration and modular questionnaires.

7. In the Supplier Management area, perform the following actions:

○ For Specify questionnaire format, choose Form to create a form or Questionnaire to create a simple questionnaire.

○ For Is questionnaire required?, choose Yes.○ For Specify questionnaire type, choose Internal if only your organization's employees will be filling the

form or questionnaire, or External if external people such as supplier contacts will be filling it out.8. Click Content.9. Add content to the form or questionnaire. [page 169]10. Click Summary.11. Click Exit, then click Save and then exit



Results

Once you publish the new version of the template, the form or questionnaire is available to users.

Related Information

Topics about editing and publishing project templates [page 86]How to set up a modular supplier management questionnaire [page 149]Topics about adding content to a supplier form or questionnaire [page 169]Supplier form or questionnaire closing, reopening, and due dates [page 146]


External (supplier-facing) questionnaires close when a supplier submits them and reopen under certain circumstances. The questionnaire due date always determines how much time a supplier has to fill out a new questionnaire before it closes, and might affect how long a supplier has to update a questionnaire after it reopens.

The timing rules of the template survey document for a supplier form or questionnaire include a Due date setting. It defines how much time a supplier has to fill out and submit a new questionnaire before it closes. The countdown to the due date starts when the supplier is invited to fill out the questionnaire.

The questionnaire closes either when the supplier has submitted the questionnaire or when the due date is reached, whichever comes first. When the questionnaire is closed, the supplier can no longer edit it.

The questionnaire reopens automatically when:

● An approver requests additional information during the approval process.● For external registration and qualification questionnaires, when a category or supplier manager reinvites a

supplier to fill out the questionnaire because the supplier did not respond to the previous invitation by the due date.

● For external modular supplier management questionnaires, when a category or supplier manager reminds a supplier to fill out the questionnaire because the supplier did not respond to the previous invitation by the due date.

● For registration questionnaires with new questionnaire and questionnaire update phases, when either the new questionnaire or a questionnaire update is approved.

● For modular supplier management questionnaires with Always open set to Yes, when either the new questionnaire or a questionnaire update is approved.

Once a questionnaire has reopened, the supplier can edit and resubmit it until it closes again. If you want a questionnaire to remain reopened indefinitely, use the Keep questionnaire reopened indefinitely setting. It keeps external questionnaires reopened indefinitely for only supplier registration and modular supplier management questionnaire projects.



If the Keep questionnaire reopened indefinitely setting is set to No, the amount of time a reopened questionnaire remains open is determined by the setting of the Application.AQS.RFX.ReopenIfClosedInterval parameter in your site. The default amount of time is 365 days, but your site might use a different number of days. If the setting for the parameter is 0, the amount of time a reopened questionnaire remains open is determined by the template survey document Due date setting instead. In this case, make sure that the due date you set for the questionnaire takes into account not just the expected response time for a new questionnaire but its expected update cycle. If the Keep questionnaire reopened indefinitely setting is set to Yes, the template ignores the Application.AQS.RFX.ReopenIfClosedInterval site parameter and remains reopened indefinitely.

After a questionnaire has closed, the only way to reopen it is for a user with permission to work in the advanced view of the project to manually monitor and reopen the questionnaire.

Modular supplier management questionnaires can expire, but questionnaire expiration is a status change that indicates the current validity of the questionnaire content. It is not related to whether or not the questionnaire is open or the questionnaire due date. An expiring or expired questionnaire that is set to always be open only closes if the supplier does not update it before it due date. Otherwise, it remains open until the supplier submits an update.

Related Information

How to create a supplier form or questionnaire [page 169]How to set up a modular supplier management questionnaire [page 149]

How to add a section to a supplier form or questionnaire

A section is a container in which you organize other content, such as questions, requirements, or attachment. You can nest sections within other sections.

Context

Sections are automatically numbered in their order of appearance, and the content inside them is numbered based on the parent section number. For example, a section in a questionnaire segment might be numbered 1, and the three questions inside it numbered 1.1, 1.2. and 1.3.

If your solution includes SAP Ariba Supplier Lifecycle and Performance, top-level sections in questionnaire segments are useful for organizing content in the final qualification questionnaire, which is assembled from multiple segments. If you nest all of the content of a questionnaire segment inside a section, it is displayed and numbered together in the final assembled questionnaire. If you do not, but the content of a previous questionnaire segment is nested in a top-level section, the content of the current segment is added to and numbered with the previous segment's content in the final questionnaire.

If you apply a condition to a section, that condition applies to all of the content in the section. Sections are therefore useful if you have a series of questions that you want to show or hide based on the answers to other questions.



Procedure

1. (Optional) To nest a section inside another section, select it.

2. Select Add Section .3. (Optional) If you are creating a nested section, select Add Inside.4. Enter a name and description for the section.5. Select whether or not suppliers can see the question from the Visible to Participants pull-down menu.

Selecting No creates a requirement that is only visible to internal users.6. (Optional) Click none and select an existing visibility condition, or select Create Condition to create a new

condition. See Using visibility conditions to show or hide content based on answers [page 183] for details.7. Click OK.

Related Information

How to add a question to a supplier form or questionnaire [page 174]How to add a requirement to a supplier form or questionnaire [page 173]How to add translations for some form and questionnaire content fields [page 190]

How to add a requirement to a supplier form or questionnaire

A requirement is a statement that communicates your expectations or other information to suppliers and internal stakeholders.

Procedure

1. Perform one of the following actions:

○ Select Add Requirement at the bottom of the content to add a new requirement to the end of the questionnaire.

○ Select the section before or inside of which you want to add the requirement and select AddRequirement at the bottom of the content table.

○ Click a section to add the requirement inside or after it and select Add Requirement from the pull-down menu.

2. If you selected a section for the new requirement, select Add Inside to add the new requirement nested inside the section, or Add After to add it after the section on the same level.

3. Add a descriptive name for the requirement in the Requirement field.4. Click Attach a file to attach a reference file to the requirement; you can either upload the file from your local

computer or select it from your site’s library content. You can only attach library content to which you have access.


5. Select whether or not suppliers can see the question from the Visible to Participants pull-down menu.If you use a requirement for internal text in a supplier-facing questionnaire, make sure to specify that it is not visible to participants so that external suppliers can’t see it. Selecting No creates a requirement that is only visible to internal users.6. (Optional) Click none and select an existing visibility condition, or select Create Condition to create a new

condition. See Using visibility conditions to show or hide content based on answers [page 183] for details.7. Click OK.

Related Information

How to add an attachment to a supplier form or questionnaire [page 179]How to add a question to a supplier form or questionnaire [page 174]How to add a section to a supplier form or questionnaire [page 172]

How to add a question to a supplier form or questionnaire

A question is a content item that asks the respondent to provide some type of information. The answer type you specify for a question determines the type of information and the format of the response.

Context

The Add Question page includes a number of settings (include in cost, access control, participant-specific initial values, and so on) that are not relevant to supplier management. These settings are ignored in supplier management projects. Only the settings discussed in the following steps are used in supplier management projects. If you are creating a Text (single line limited) or Text (single line) answer type question, you can optionally use the Apply field restrictions button to have the system suggest a field validation pattern and maximum length based on the default SAP ERP business partner configurations of the mapped field. The Apply field restrictions button is not available in SAP Ariba Supplier Risk engagement risk assessment and issue management projects.

Tip● Answers for questions with the Whole Number answer type have a maximum value of 2147483647, making

it suitable for amounts but not for questions that have numerical answers that might exceed the maximum, such as phone numbers. For questions with large numerical answers that are not amounts, use Text (single line limited) instead.

● Individual questions have KI ID numbers, which are unique identifiers, and the supplier responses that duplicate checks match against are linked to KI IDs. Duplicate checks match question responses against recorded supplier responses that are associated with that question's KI ID. As a result of this, if you delete and recreate a question, duplicate check does not match responses to the recreated question against stored response data from the deleted question.



NoteMake sure that the questions you create in supplier-facing questionnaires do not ask for sensitive personal information as defined in the SAP Ariba Privacy Statement .

Procedure


○ Select Add Question at the bottom of the content table to add the question to the end of the form or questionnaire.

○ Select the section to which you want to add the question and select Add Question at the bottom of the content table.

○ Click a section to add the question inside or after it and select Add Question from the pull-down menu.

2. If you selected a location for the new question, select Add Inside to add the new question nested inside section, or Add After to add it after the selected section on the same level.

3. Choose an answer type from the Answer Type dropdown menu. The answer type you choose determines the other settings you can specify for the question.

4. Enter the text for your question in the Name field.5. (Optional) For answer types that allow acceptable values, on the Acceptable Values dropdown menu, perform

one of the following actions:

○ To allow respondents to enter any value in the answer field, choose Any Value.○ For questions with answer type Text (single line limited) only, to force respondents to choose a value from

the master data loaded in your site, choose Master Data Value. At the bottom of the Add Question page, choose a master data type from the Master data types to use for value dropdown menu.

○ To force respondents to choose from a set of answers you predefine, select List of Choices. The default list of choices is a dropdown menu where respondents select one value from the list. At the bottom of the Add Question page, specify the following properties for your list of choices:

Property Description and Options

Allow participants to specify other value? Options are:○ Yes: respondents can select Other on your list of choices and

enter a value that is not on your list in an Other field.○ No: respondents must choose from the values on your list.

Allow participants to select multiple values? If you select Yes, the list of choices is a set of check boxes instead of a pull-down menu, and respondents can select multiple values to answer the question. If you allow multiple answers to a question, you cannot add it to reports.

List of Choices Specifies the value on the list of choices.

Enter values and click Add to add choices to the list. Select a value from the list and click Set Default to make it the default choice.

○ For answer types that allow number ranges, to limit answers to a specific range of numbers, select Limited Range. At the bottom of the Add Question page, add from and to values to define the range. For date


http://help.sap.com/disclaimer?site=http%3A%2F%2Fwww.ariba.com%2Flegal%2Fariba_privacy_statement.cfm

questions, select a relative range such as Last Week or This Year from the Range menu, or select Custom and specify a fixed from and to date to define the range.

6. For decimal number, money, or percentage answer types, enter the number of decimal places; the default number is 2.

7. Specify the following settings for the question; available settings depend on the answer type you selected:

Setting Description and Options

Response Required? Specifies whether or not you want to require various respondents to answer the question. Options are:○ Not Required○ Yes, Participant Required: in external-facing questionnaires, the supplier

must answer the question. In internal-facing questionnaires, the internal user must answer the question.

○ Yes, Owner Required: Do not use this setting. In supplier management projects, all internal and external users who complete forms, questionnaires, and internal surveys act as participants. There is no way to satisfy an owner requirement, and using this setting will cause users to be unable to submit the form or questionnaire.

Tooltip Specifies a message to show in a popup that users open by clicking an information icon next to the question. If you specify a tooltip, you can use the Translations link to provide translations for it in languages other than your site's primary language.

NoteThe Tooltip field is only available in engagement request questionnaires in the supplier engagement risk assessment project.

Reference documents Click Attach a file to attach a reference file to the question; you can either upload the file from your local computer or select it from your site’s library content. You can only attach library content to which you have access.

Mask Attachments Specifies whether or not you want to mask attachments so that only the users with the appropriate permissions can view or download them.

NoteThe attachment masking setting is not supported in supplier engagement risk assessment and issue management projects.

Sensitive Data Mask Pattern If you want to mask the answer so that only users with the appropriate permissions can view it, you can specify a masking pattern to mask all or part of the answer.

NoteThe data mask pattern setting is not supported in supplier engagement risk assessment and issue management projects.




Code Delimiters Specifies the characters that enclose the codes you associate with descriptive answers in a list of choices. If you specify code delimiters, and then create a list of choices that includes codes enclosed by those delimiters, that enclosed information is the only part of the answer stored in a mapped database field.

NoteThe code delimiters setting is not supported in supplier engagement risk assessment and issue management projects.

Visible to Participants Specifies whether or not suppliers can see the question. Do not add internal-only questions to external questionnaires. For external (supplier-facing) questionnaires, only choose No if you are setting up a hidden question that triggers a conditional approval.

Participants can add additional comments and attachments

Specifies whether or not respondents can add additional attachments and comments to the question using an icon that opens an extra comment field and attachment link.

Max length Specifies the maximum character length for text questions. The length you specify must be shorter than the absolute maximum length of the question (255 for Text (single line limited), 4000 for Text (single line), and unlimited for Text (multiple lines) answers. Answers cannot exceed the absolute maximum length for an answer type regardless of the setting you apply in this field.

If you are mapping a question to a supplier database field and the question has a Text (single line limited) or Text (single line) answer type, you can use the optional Apply field restrictions button to automatically generate a suggested max length. The Max Length setting helps to make sure that the answer does not exceed the maximum length of that field. For mapped questions, the length of the database field is the ultimate determiner of the stored answer length.

NoteThe maximum length setting is not supported in supplier engagement risk assessment and issue management projects.

Supplier field mapping If you want to map the question to a supplier database field, enter the field name. You can also use project and matrix mappings in this field.

The optional Apply field restrictions button can help validate your supplier field mapping entry. If it does not recognize a supplier field mapping, it suggests alternative field mappings. The feature can also suggest a Max length and Validation pattern based on the supplier field mapping.

NoteSupplier engagement risk assessment and issue management projects do not support mapping to supplier database fields. They support a specific set of project and matrix mappings only. See the topics about setting up those templates for details.



Search term If you want to turn the question into a filter for supplier searches, enter the filter name.

Note○ You can only turn some answer types into search filters, and you should

keep in mind best practices for constructing effective search filters. Turning questions into search filters is not supported in supplier risk engagements

○ Search terms are not supported in supplier engagement risk assessment and issue management projects.

.

Validation Pattern and Validation Pattern Error Message

If you want to specify that the answer must be provided in a specific format, enter a regular expression to define that format and an optional custom error message that users see when they try to submit an answer that does not fit the pattern.

If you are mapping a question to a supplier database field and the question has a Text (single line limited) or Text (single line) answer type, you can use the optional Apply field restrictions button to automatically generate a suggested validation pattern.

NoteValidation patterns are not supported in supplier engagement risk assessment and issue management projects.

Enable duplicate check Specifies whether or not the answer is used to identify duplicate suppliers during the supplier request process. In both internal and external supplier requests, questions mapped to name, street address, city, state, country, postal code, and D-U-N-S Number fields are automatically used in duplicate check. This setting allows you to specify additional questions to use in duplicate check. This field is only available for Text (single line limited) questions in internal and external supplier requests in sites with the custom duplicate check feature enabled.

TipOnly enable this setting for questions that are likely to yield unique answers for each supplier. SAP Ariba recommends that you enable this setting for no more than 5 questions total in an internal or external supplier request. Overly broad duplicate checks result in a higher number of false positives..

Visibility Conditions Specifies the conditions under which suppliers and internal users at your company see the question. Click none and select an existing condition, or select Create Condition to create a new condition. For details, see Using visibility conditions to show or hide content based on answers [page 183].

8. (Optional) To communicate your expectations of how respondents should answer, provide an initial value by performing one of the following actions:



○ For yes/no questions, select Yes or No as a default value, or select Unspecified if you do not want to provide a default value.

○ For attachment questions, click Attach a file and either upload the file from your local computer or select it from your site’s library to provide an attachment that respondents can use as a template or form for providing their responses

○ For certificate questions, select Yes or No as a default value, or select Unspecified if you do not want to provide a default value. If you select Yes, you can click Details and provide default certificate information such as issuer to communicate your expectations for how respondents will answer the question.

○ For quantity questions, the default unit of measure for the initial value is each. To change it, click each and select from the list of units of measure used in your site.

○ For all other answer types, enter an initial value in the Initial Value field.9. Click Done.

Related Information

Question answer types for supplier forms and questionnaires [page 180]How to add a section to a supplier form or questionnaire [page 172]How to add an attachment to a supplier form or questionnaire [page 179]How to add a requirement to a supplier form or questionnaire [page 173]

How to add an attachment to a supplier form or questionnaire

An attachment in a form or questionnaire is a document file that provides additional information to respondents. It is an independent content item to which you can apply visibility conditions.

Context

When you add an attachment to the profile questionnaire, use its description to communicate the format of the attached file and your expectations for its use by respondents.

You can add document files either from your local computer or from the Sourcing Library to supplier profile questionnaire attachments.

You cannot set visibility conditions on attachments initially when you add them as standalone attachments. However, when you edit any attachment you added this way, you can set visibility conditions on them and add reference documents at that time.

NoteIn addition to standalone attachments, you can also attach files to questions, requirements, and other pieces of content.


Procedure


○ Select Add Attachments from Desktop at the bottom of the content table. Click Browse, navigate to the file you want to attach on your local computer, and click Open. Click Add More to add up to 10 files as attachments at the same time.

○ Select Add Attachments from Library at the bottom of the content table. Search for the project or library content you want to attach, select the files, and click OK. You can only attach library content to which you have access.

2. Enter a description for each file.3. (Optional) Click Show Details and perform one of the following actions for each file:

○ Select whether or not suppliers can see each attachment from the Visible to Participants pull-down menu. Selecting No creates an attachment that is only visible to internal users.

○ Limit access control to the file to specific sets of users.4. Click Done.

Next Steps

You can apply settings such as visibility conditions by editing the newly created attachment. Settings are only available when the attachment is in edit mode. You can also mask attachments so that only the internal users with the appropriate permissions can view or download them.

NoteThe attachment masking setting is not supported in supplier risk engagements.

Related Information

Using visibility conditions to show or hide content based on answers [page 183]How to add a requirement to a supplier form or questionnaire [page 173]How to add a requirement to a supplier form or questionnaire [page 173]How to add a question to a supplier form or questionnaire [page 174]

Question answer types for supplier forms and questionnaires

For each question you add to a supplier form or questionnaire, you specify an answer type that defines the type of data you want in that field.



Answer Type Description

Text (single line limited) The answer field accepts a single line of text (numerical and alphabetic characters) with no character returns and a maximum of 255 characters.

This answer type is the only one for which you can set master data values as an acceptable answer.

Text (single line) The answer field accepts a single line of text (numerical and alphabetic characters) with no character returns and a maximum of 4000 characters.

Text (multiple lines) The answer field displays six lines of text initially and can be expanded indefinitely with a vertical scroll bar and no character limit.

Whole Number A whole number; for example, 20. Answers have a maximum value of 2147483647. For questions with large numerical answers that are not amounts, such as phone numbers or IDs, use Text (single line limited) instead.

Decimal Number A decimal number; for example, 19.5. The default number of decimal places is 2

Date A formatted date; for example, Fri., 12 Aug., 2009.

Money A decimal number plus currency symbol. The default number of decimal places is 2.

Yes/No The input field is a dropdown menu with Yes and No menu items.

Attachment Requires the respondent to answer the question by uploading a file attachment. You can provide a default file attachment as an initial value, which the respondent can then download, edit, and upload to answer the question.

NoteUse the separate Certificate answer type to ask for small business, diversity, green, and other certifications.



Certificate The answer field is a pull-down menu with Yes and No menu items. Selecting Yes displays a Details link that allows respondents to enter certificate information such as issuer, number, location, type, and effective and expiration dates, and to upload a certificate file as an attachment.

NoteIn sites with the certificate management feature enabled, questions of this type include settings for expiration notifi-cations in modular supplier management questionnaires only.

Address The answer is a complete set of address fields: Street, City, State/Province/Region, and Country, which uses a dropdown menu to allow users to select from a list available countries.

Extended Address The answer is an extended set of address fields; the country and region fields use dropdown menus to allow users to select from a list of available values. A limited number of fields, including any fields with values, is shown in a Show Less view; users can click Show More to see the full set of fields.

Percentage A percentage value; for example, 25%. The default number of decimal places is 2.

Quantity A number value plus a unit of measurement selected from a list. The default unit of measurement is each.

Commodity The answer field is a dropdown menu that allows respondents to select from the commodities used in your site.

Region The answer field is a dropdown menu that allows respondents to select from the regions used in your site.

Department The answer field is a dropdown menu that allows respondents to select from the departments or cost centers used in your site.

Supplier The answer field is a dropdown menu that allows respondents to select from the suppliers in your site.

This answer type is only available in SAP Ariba Supplier Risk.

Bank Account The answer field is a complete set of bank account fields. This answer type is only available in sites with the bank component feature enabled.

This answer type is not available in SAP Ariba Supplier Risk.




Tax The answer field is a dropdown menu for country and a set of country-specific tax fields defined by master data in your site. This answer type is only available in sites with the tax component feature enabled.

This answer type is not available in SAP Ariba Supplier Risk.

Related Information

How to add a question to a supplier form or questionnaire [page 174]

Using visibility conditions to show or hide content based on answers

The content to which you have applied a visibility condition is hidden from respondents unless they supply an answer that fulfills the condition. At that point, the page refreshes and the conditional content appears. If a participant changes an answer so that the condition is no longer fulfilled, the content disappears and any existing answers are not retained.

If you add a question to your document from the Sourcing Library (as library content), you have the option of copying its conditions as well so that they operate in your document.

You can create two types of visibility conditions: basic and advanced.

● Basic visibility conditions [page 184] are based on the answer to one question.● Advanced visibility conditions [page 185] allow you to combine the answers to multiple questions to create

conditional expressions based on logical operators (AND, OR, and NOT).You can stack and nest expressions, but take care that the logic in an advanced condition doesn’t contain contradictions.

When you create either type of condition, keep in mind the following considerations:

● For forms and most types of questionnaires, all respondents see the single form, and visibility conditions based on region can be useful for displaying content dynamically based on answers. But qualification questionnaires are assembled from content document segments that are targeted to specific commodities, regions, and (if the business unit supplier management matrix enhancement is enabled in your site) departments. It is therefore important be aware of all of your existing segments and the commodity, region, and department settings you have applied to each segment, and only apply visibility conditions based on commodity, region, or department in segments where it makes sense.For example, if you have a questionnaire segment that applies to all regions, and other region-specific questionnaire segments that only target regions down to the country level, you can use visibility conditions for specific states, regions, or cities to show content based on more granular region values. Add conditional questions that only applies to Parisian suppliers to the questionnaire segment targeted at France.

● You cannot create conditions based on questions of answer type Text (multiple lines), Bank Account, Extended Address, or Tax. You can create conditions based on questions of any other answer type.

● If you set a visibility condition for content in external (supplier-facing) questionnaires, make sure that the question that triggers the condition is visible to participants.

How to create a basic visibility condition in a form or questionnaire [page 184]


How to create an advanced visibility condition in a form or questionnaire [page 185]

Expressions for advanced visibility conditions [page 186]

How to create a basic visibility condition in a form or questionnaire

Basic visibility conditions are based on answers to a single question.

Prerequisites

You must create the question on which the condition is based before you can create the condition.

Context


NoteYou cannot create conditions based on questions of answer type Text (multiple lines), Bank Account, Extended Address, or Tax. You can create conditions based on questions of any other answer type.

Procedure

1. Use an existing question or create a new question on which to base the condition.2. On the content table, perform one of the following actions:

○ Choose Edit Conditions .

○ Click the question and choose Edit, then choose Add Conditions .3. On the Edit Conditions page, click Add.4. In the Create Condition window, enter a short name and description for the condition. The name appears on a

menu of available conditions that you can apply to content, so it should be descriptive.5. For the expression, click Undefined and select the question or formula on which you want to base the

condition.

6. Perform one of the following actions to set the condition content match:

○ For questions with numerical answer types (including date and money), enter a From and To value to create a range of values.



○ For questions with text answer types, enter a string of text which must match participant answers exactly to satisfy the condition.

○ For questions with Yes/No answer types, select either Yes, No, or Either.○ For questions with a defined list of answer values that are specific to the question, select the answer from

the dropdown menu.○ For questions with answers that must be selected from a list of site-wide values (such as commodity), click

select and select the values that participants’ answers must match in order to satisfy the condition.7. Click OK.

Next Steps

Now you can apply the condition to form or questionnaire content. When you are creating or editing the content, for Visibility Condition, click none and choose from the list of available conditions.

How to create an advanced visibility condition in a form or questionnaire

Advanced visibility conditions are based on the answers to multiple questions.

Prerequisites

You must create the questions on which the condition is based before you can create the condition.

Context


NoteYou cannot create conditions based on questions of answer type Text (multiple lines), Bank Account, Extended Address, or Tax. You can create conditions based on questions of any other answer type.

Procedure

1. Use an existing question or create a new question on which to base the condition.



○ Choose Edit Conditions .

○ Click the question and choose Edit, then choose Add Conditions .3. On the Edit Conditions page, click Add.4. In the Create Condition window, enter a short name and description name for the condition. The name

appears on a menu of available conditions that you can apply to content, so it should be descriptive.5. For the expression, click Undefined and select an expression (All of, Any of, or None of). For descriptions of

available expressions, see Expressions for Advanced Visibility Conditions in Events, Surveys, and the Supplier Profile Questionnaire [page 186]

6. Perform any of the following steps. The order in which you add expressions and questions determines the nested structure of your condition.

○ Click Undefined and select the question on which you want to base the condition from the list of options, then specify the content match that fulfills the condition.

○ To enclose an expression within an expression, click the expression and select it. The new expression is added to its left.

○ To add a condition in parallel to another condition, click the expression to its left, then select the question or formula from the list of options and specify the content match that fulfills the condition.

○ To nest a set of conditions with an expression inside another expression, add a condition to the first expression, then select Content Match for the condition and select the expression. The new expression is added to the left of the condition, but within the first expression.

7. Continue adding nested conditions and expressions as needed.8. Click OK.

Next Steps

Now you can apply the condition to form or questionnaire segment content. When you are creating or editing the content, for Visibility Condition, click none and choose from the list of available conditions.

Expressions for advanced visibility conditions

You can use expressions to create advanced visibility conditions.

Expression Definition

All of An advanced expression that can include multiple expressions used for conditions that require all expressions to match (AND). You can use the All of expression to make a condition true under specific, layered circumstances.

For example, you can create an All of expression with two content matches: Are you Woman Owned Enterprise Certified? = Yes and Are you Small Business Certified? = No. This condition is true for any supplier that is Woman Owned Enterprise Certified but is not Small Business Certified. You can use this condition to display specific content for suppliers with that combination of certifications.



Expression Definition

Any of An expression that is true if one or more of the expressions defined in it are true (OR).

For example, if you define an Any of condition with four questions in it, that condition is true if the participant’s answer matches the answers you define as content matches for at least one, or as many as all four, of those four questions.

None of An expression that is true only if none of the expressions defined in it are true (NOT).

For example, you can create a None of expression with content matches to four different regions where you have manufacturing plants for questions that ask participants if they have shipping centers close to those regions. You can use this condition to display content to suppliers who answered No to all of those questions, and therefore might not be able to fulfill your shipping requirements.

Topics with supplier management questionnaire content examples

Example: how to create a dropdown menu with predefined values on a supplier form or questionnaire [page 187]

Example: how to automatically reject answers that don't fall within a limited range on supplier forms and questionnaires [page 188]

Example: how to ask for a supplier certificate [page 189]

Example: how to create a question that is only to visible suppliers with green certifications [page 190]

Example: how to create a dropdown menu with predefined values on a supplier form or questionnaire

When you add a question and provide a list of choices for the answer, the form or questionnaire displays those choices in a dropdown menu. The person who fills out the form must choose one of the values on the list.

Prerequisites

Lists of choices are only available for questions with one of the following answer types:

● Text (single line)● Text (single line limited)● Whole Number● Decimal Number● Date● Money● Percentage


Procedure

1. In the content area of the form or questionnaire, click Add Question .2. Choose one of the answer types that support lists of choices.3. On the Acceptable Values dropdown menu, choose List of Choices.

The List of Choices editor appears at the bottom of the page.4. Perform the following actions to add choices to the list:

a. Enter the first choice in the text box.b. Click Add and enter additional choices.c. To make one of the choices the default choice, which appears at the top of the dropdown menu, select it

and click Set Default. To specify no default choice, make sure that none of the choices are selected and click Set Default.

5. Specify other settings for the question and click Done.

Example: how to automatically reject answers that don't fall within a limited range on supplier forms and questionnaires

When you add a question with a limited range answer to a form or questionnaire, any values entered in the field that do not fall within that range are rejected, and the person filling out the form or questionnaire must provide an answer within the defined range in order to submit it successfully.

Prerequisites

Limited ranges are only available for questions with one of the following answer types:

● Whole Number● Decimal Number● Date● Money● Percentage● Quantity

Context

For questions with answer type Date, you can limit answers relative to the current date or specify a fixed (custom) date range. For example, you can require that the respondent’s answer be in the current year, current month, previous fiscal quarter, and so forth.



Procedure

1. In the content area of the form or questionnaire, click Add Question .2. Choose one of the answer types that support limited ranges.3. On the Acceptable Values dropdown menu, choose Limited Range.

The limited range fields appear at the bottom of the page.4. Perform the following actions to define your range:

○ For number ranges, enter numerical values in the From and To fields.○ For date ranges, choose a value from the Range dropdown menu, or choose Custom and specify a fixed

date range.5. Specify other settings for the question and click Done.

Example: how to ask for a supplier certificate

The Certificate question answer type includes fields that allow respondents to provide effective and expiration dates, issuer, and other details. You can map the question to the supplier database.

Procedure

1. In the content area of the form or questionnaire, click Add Question .2. On the Answer Type dropdown menu, select Certificate.3. Enter a name for the question, such as Please provide your green certificate.

4. For Visible to Participant, choose Yes.5. In the Supplier field mapping field, enter vendor.certificate.

6. Specify other settings for the question and click Done.

Results

When the supplier chooses Yes to provide a certificate and clicks the Details link, a window opens up. The supplier can enter issuer, effective and expiration dates, certificate numbers, and other details, as well as uploading the certificate as an attachment.

Any certificates a supplier uploads in response to a question of type Certificate are shows on the Certificates tab of the Overview tile in the supplier's 360° profile.


Example: how to create a question that is only to visible suppliers with green certifications

Visibility conditions allow you to create a question that is only visible to suppliers who are certified green.

Procedure

1. Create a certificate question that asks for green certification:

a. Below the content table for the form or questionnaire segment, choose Add Question .b. Enter a name for the question, such as Are you certified green?.c. On the Answer Type dropdown menu, choose Certificate.d. For Visible to Participant, choose Yes.e. In the Supplier field mapping field, enter vendor.certificate.f. Specify other settings for the question and click Done.

2. Create a condition based on a yes answer to the green certificate question:

a. Below the content table for the form or questionnaire segment, choose Edit Conditions .b. On the Edit Conditions page, click Add.c. In the Create Condition window, enter a name for the condition, such as Show for green certified.d. For the expression, click Undefined and select your green certification question.e. Select Yes for the content match.f. Click OK, then click Done.

3. Create a question that will only show when a supplier Yes to your certification question:

a. Below the content table for the form or questionnaire segment, choose Add Question .b. Enter a name for the question, such as Please provide your company's sustainability

policy. You can add it as an attachment..c. On the Answer Type dropdown menu, select Text (multiple line).d. For Visible to Participant, choose Yes.e. For Participant can add additional comments and attachments, choose Yes.a. For Visibility Conditions, click none and select your green certified condition.b. Click Done.

How to add translations for some form and questionnaire content fields

When you provide translations of form or questionnaire content fields in a language, users with that locale set in their profiles automatically see those translations. If you do not provide translations, users in all locales see the content fields in the original language in which you created them (the base language).



Prerequisites

To edit project templates you must be a member of the Template Creator group. To add translations to form or questionnaire content fields, you must also belong to the Translator group.

Context

You can provide translations for the names of all supported content types in supplier forms and questionnaires. For questions with answer types that support these features, you can also provide translations for the Search Term and Validation Pattern Error Message fields.

You can provide translations for each of the languages that are enabled in your site. The translation fields include the same formatting controls as the original fields, so you can also duplicate the formatting.

NoteWhen you provide a translation for the Name field of a question, that translation applies only to the name itself. There is no way to translate pre-defined answers that involve lists of choices, and attached files are always in the language of the file. If you need to add content with attachments or lists of choices that are also translated into multiple languages, you must:

● Create a piece of content in each language, rather than creating a single piece of content in the base language and providing translations. For each piece of language-specific content, the choices in the list of choices and the attached documents must be in that language.

● Use either visibility conditions based on region or region-specific questionnaire segments to make sure that the content for each language only displays for the region corresponding to that language.

Note that this way of providing translated content is less precise, because it is not based on individual user locale settings; for example, if you add French content that is visible to suppliers in Switzerland, it is shown to Swiss users who specify either French or German as their language.

TipIf you are providing translations for content names, you can add translations for all of the content names in a template survey document in one place by choosing Actions Translate on the content table of the survey document. You must add translations for other supported fields while adding or editing individual questions, and you can also add translations for the name this way.

Procedure

1. Add or edit a piece of content in a supplier management template survey document.2. Click the Translations link immediately below the Name field, or to the right of any other field that supports

translations.3. Enter a translation for the field in the corresponding translation field. If you have already entered translations,

they are displayed and you can edit them.


4. Click OK.

Topics about adding project groups and team members to project templates

Adding project groups and team members to project templates [page 192]

Defining buyer category assignments (the user matrix) for control-based supplier engagement risk assessment projects [page 193]

Topics about team member rules to add project groups and team members [page 196]

Adding project groups and team members to project templates

You add project groups to project template teams in one of two ways:

● By manually adding project groups on the template’s Team tab.The groups you add in a template are added to every project created from the template. You add project groups on a template’s Team tab as you would add groups to a project. You can also specify if project owners can edit a project group in projects created from the template (Can owner edit this Project Group). You can also add individual users or entire user groups to project groups. For supplier request, registration, qualification, disqualification, preferred supplier management, modular supplier management questionnaire, and control-based engagement risk assessment project groups, if your site includes user assignments to project groups based on project commodities and regions (the user matrix), you can specify that members of a project group are added dynamically based on assignment (Use commodity and region assignments).

● By creating team member rules.Team member rules dynamically add groups or individual users to a project based on the values supplied during project creation. They are not supported in supplier request, registration, qualification, disqualification, preferred supplier management, modular supplier management questionnaire, and control-based engagement risk assessment projects.

Note that while you can specify that project owners can edit project groups in both control-based and legacy engagement risk assessment, issue management, supplier request, supplier registration, supplier qualification, supplier disqualification, preferred supplier management, and modular supplier management questionnaire project templates, many of the users who work with those projects do not have access to the advanced view, where they can use the Team tab. Users who do not have access to the advanced view of those projects cannot edit their project groups even if they are project owners and the groups in the project allow project owners to edit them.

Adding Project Owners to Project Teams

To specify members of the Project Owner group that are inherited by projects created from a template, you must use either buyer category assignments or team member rules.



Members manually added to a Project Owner group from a template’s Team tab are not inherited by any projects created from that template. Manually adding members to the Project Owner group for a template grants those users Project Owner rights for that template only.

NoteIn both control-based and legacy engagement risk assessment, issue management, supplier request, supplier registration, supplier qualification, supplier disqualification, preferred supplier management, and modular supplier management questionnaire projects the user who creates the project (by requesting a supplier or engagement, inviting a supplier to register, and so on) is always the project owner.

Defining buyer category assignments (the user matrix) for control-based supplier engagement risk assessment projects

Control-based supplier engagement risk assessment projects use buyer category assignments (the user matrix) to dynamically add users to project or global user groups for specific combinations of commodities, regions, and departments.

In control-based supplier engagement risk assessment projects, the engagement request filters questionnaire includes mapped commodity, region, and department questions. The answers to those questions define the commodity, region, and department combination for the resulting control-based engagement risk assessment project. The users or global user groups assigned to that commodity, region, and department combination are then added to their assigned project groups. These assignments ensure that the appropriate stakeholders are added to approval flows and other tasks in specific projects. If your risk control definitions specify project groups as control decision makers, these assignments ensure that the appropriate stakeholders are added to specific projects as decision makers for their required controls.

The modular supplier management questionnaire project templates that define the assessment questionnaires in the control-based engagement risk assessment project can also use buyer category assignments (the user matrix). Assignments in modular supplier management questionnaire projects are based on the commodity, region, and department attributes in the project template, which are inherited by all projects created from it.

You import buyer category assignment (user matrix) [page 41] data using the User Matrix data import task in the Data import or export workspace in SM Administration.

NoteIf you want to dynamically add users to project groups in control-based engagement risk assessment or modular supplier management questionnaire projects, you must user buyer category assignments (the user matrix). However, issue management projects do not currently support buyer category assignments. To dynamically add users to issue management projects, you must use team member rules [page 196] instead.

Understanding buyer category assignments (the user matrix) [page 194]

How to use buyer category assignments to add team members to project groups [page 195]


Understanding buyer category assignments (the user matrix)

User matrix data loaded in your site assigns specific users to project groups for specific commodities, regions, and departments. These assignments allow you to route supplier management projects to the category or supplier managers who are responsible for those commodities and regions.

Buyer category assignments automatically add project team members when a supplier management project is created. In fact, they are the only way to add team members to the Project Owner group from a template, since individual users added to a template's Project Onwer group are not inherited by any projects that are created from the template.

Buyer category assignments are created by a combination of two components:

● User matrix data, which an administrator imports into your site as a CSV data file [page 41]. The file assigns either individual users or global user groups to project groups for specific commodities, regions, and departments.

● Template project groups with the Use commodity and region assignments setting enabled. Importing user matrix data does not automatically create the project groups it references. Default template project groups such as Project Owner do not automatically use user matrix data to assign team membership. You must create or edit the project groups referenced in your site's user matrix data and enable the assignment setting [page 41] so that the user matrix data is used to add team members to them.

Buyer category assignments are always based on a combination of commodity and region. The combination can be general (all commodities or all regions), narrow (solid-fiber cardboard crates or London), or anywhere between in the commodity and region hierarchies. When a supplier management project is created, it checks to see if there are users assigned to the supplier's commodity code and region; if there is no exact match, it looks for the users who are assigned to the commodity code and region above them in the hierarchy and adds those users to the team instead. Since sites often have thousands of low-level commodity codes, and hundreds of low-level regions, buyer category assignments ensure that the most appropriate users are always added to supplier management project teams. For example, if there is no user assigned to Vermont, a supplier registration project will add the user assigned to the United States to the project team instead.

If your site has the business unit supplier management matrix enhancement feature enabled, buyer category assignments are based on a combination of commodity, region, and department. The assignments work the same way with your company's department hierarchy as they do with commodity and region hierarchies.

Buyer category assignments function in substantially the same way as team member rules do in other SAP Ariba projects. However, they are designed specifically for supplier management workflows, so they have the following advantages over team member rules:

● They are applied only based on commodity, region, and department which are the most common metrics by which companies organize their supplier management processes.

● They apply to all supplier management projects in a site, meaning:○ A single source of assignment data. A template creator must upload team member rules files to each

individual project, but a customer administrator can upload and maintain buyer category assignments for all supplier management projects in a single CSV file.

○ Continuity of team membership across the entire supplier lifecycle. Since assignments apply to all supplier management projects in a site, the same category or supplier managers and other team members manage the same suppliers across all related supplier management projects.

● More flexibility: team member rules with assign users to projects based on exact matches to a field value, while buyer category assignments will also look for matches above the specified value in a hierarchy if there are no exact matches.



RestrictionSince supplier qualification, disqualification, and preferred supplier management projects are always based on a commodity/region/department combination, buyer category assignments are automatically applied to the project groups where they are enabled in these projects. They are also applied to supplier request projects if the supplier request form includes questions based on commodity, region, and department master data that are mapped to matrix.Categories, matrix.Regions, and matrix.Departments respectively, since those questions set the commodity, region, and department for the request project. They are not applied to supplier registration projects, where there is currently no way of setting the project's commodity, region, and department from mapped questions or other content.

Related Information

Adding project groups and team members to project templates [page 192]How to use buyer category assignments to add team members to project groups [page 195]User matrix (buyer category assignment) data import file format [page 41]

How to use buyer category assignments to add team members to project groups

You must configure project groups to use buyer category assignments, which specify the users that are added to project groups in supplier request, qualification, disqualification, and preferred supplier management projects based on the project's commodities, regions, and departments.

Prerequisites

Commodity and region assignments work automatically in supplier qualification, disqualification, an preferred supplier management in the project groups that are configured to use them. They will only work in request projects if the request form includes questions based on commodity and region master data that are mapped to matrix.Categories and matrix.Regions respectively. They are not currently supported in supplier registration projects. They also include department in sites with the business unit supplier management matrix feature enabled.

Commodity, region, and department assignment data (the user matrix) must be imported into your site in order for users to be added to project groups based on those assignments.

To make supplier or category managers the owners of those supplier projects based on commodity, region, and department assignments, you must edit the Project Owner group to apply the assignments (user matrix) to it and make sure that the system user aribasystem is a member of the group.


Procedure

1. Open a supplier template for editing. If the template status is not Draft, create a new version so that you can edit it.

2. On the Team tab, choose Actions Team Members Edit .3. Perform one of the following actions:

○ To edit an existing project group, click its name.○ To add a new group, click Add Group and enter a name for the group.

4. For Use commodity and region assignments, choose Yes.5. Click OK.6. (Optional) Use the dropdown menu in the Members column to manually add individual users or user groups to

the group.7. Click OK.

Related Information

Understanding buyer category assignments (the user matrix) [page 194]Adding project groups and team members to project templates [page 192]How to edit a project template [page 86]

Topics about team member rules to add project groups and team members

About team member rules files [page 196]

Team member rules file templates [page 197]

Rule matching in projects [page 198]

How to create team member rules files [page 199]

Hierarchical region example [page 201]

How to add team member rules to a template [page 202]

How to validate team member rules [page 203]

About team member rules files

You can use team member rules files to automatically add project team members when a project is created. To pre-populate the Project Owner group from a template, you must use a team member rules file. (If you add users to the Project Owner group in a template from the Team tab, those users will be members of the Project Owner group for that template project only; they are not inherited by any projects created using that template.)



NoteIn supplier request, registration, qualification, disqualification, and preferred supplier management project templates, you can use buyer category assignments to populate the Project Owner groups from the template instead. However, buyer category assignments are not available in other project template types.

Team member rules files are a specific type of template document. They are always Microsoft XLS workbooks. Unlike other project documents, you can upload team member rules files on the template’s Team or Documents tab. However, once you have uploaded a team member rules file, you manage it as you would any other template document on the Documents tab.

Team member rules files help you standardize your template creation process. Your company can create different rules files for different kinds of projects, such as projects in different regions, or projects that are associated with different commodity categories. For example, you can create team member rules files to route ownership of projects to the people at your company who are responsible for a particular region or commodity category. When a user creates a project with the appropriate region or commodity categories, the project uses the team member rules to populate the team with the correct members for that region or commodity category. Whenever someone edits a project, the team rules are re-processed to update team membership based on the changes.

You create team member rules using the following general steps:

1. Download a team member rules file template that contains the project template’s current project groups and field names; see Creating Team Member Rules Files [page 199].

2. Create team member rules in the file; see Creating Team Member Rules Files [page 199].3. Upload the team member rules file to the project template; see Adding Team Member Rules to a Template

[page 202].

Related Information

Understanding buyer category assignments (the user matrix) [page 194]

Team member rules file templates

The team member rules file template contains the following tabs:

● Instructions: A set of instructions for using the team member rules file.● Team Member Rules: A worksheet where you create team member rules by entering values in columns.● Field Names: A list of the full names of all of the template’s current fields in dot notation.● Project Groups: A list of all of the template’s current project groups.

You use the information on the Field Names and Project Groups tabs to create team member rules on the Team Member Rules tab.

The Field Names and Project Groups tabs are populated with all of the current fields and project groups in the template at the time you download the team member rules file template. If you add project groups or fields to the template, you can download the file again to see those additional values on the Field Names and Project Groups tabs.


You can also create team member rules based on published supplier profile questionnaire content that is available for reporting. The content must have a single response; you cannot create rules based on questionnaire content that has multiple responses, such as multiple choice questions. If you add reportable content to the profile questionnaire, you must re-publish it and then download the file again in order to see those additional values on the Field Names tab. For more information on supplier profile content, see Managing the Supplier Profile Questionnaire.

If your site uses the supplier profile questionnaire to gather information about suppliers, you can also create team member rules based on published supplier profile questionnaire content that is available for reporting. The content must have a single response; you cannot create rules based on questionnaire content that has multiple responses, such as multiple choice questions. If you add reportable content to the profile questionnaire, you must re-publish it and then download the file again in order to see those additional values on the Field Names tab. For more information on supplier profile questionnaire content, see Managing the Supplier Profile Questionnaire. If your site uses supplier request and registration projects and registration questionnaires to gather information about suppliers, the content of those questionnaires is not available in team member rules templates.

Rule matching in projects

Each row on the Team Member Rules tab creates a rule. The SAP Ariba solution reads the rules file and, if all of the Field_Name values in a row match in the project created from the template, it does the following in the new project:

● Assigns the users in the User or Group columns to the project specified in the ProjectGroup column.● Makes any user specified in the OwnerId column the default project owner.

When the SAP Ariba solution matches values to add team members, it uses the following criteria for each row in the rules file:

● All values in field name columns must match the template project’s values for those fields or the row is not considered a match and is ignored. For example, if the rules file uses Supplier.AnnualRevenueMinimum and Supplier.OrganizationType field name columns, the values in both of those columns must match the project template’s values. If only the Supplier.AnnualRevenueMinimum value matches, the row is ignored and the users or groups are not added to the project group or made the default project owner.If a rule (row) does not match and is ignored, processing continues to the next rule (rule evaluation does not stop).

● Wildcards (*) and empty column values always match. For example, if the rules file uses Supplier.AnnualRevenueMinimum and Supplier.OrganizationType field name columns, and the Supplier.AnnualRevenueMinimum value matches while Supplier.OrganizationType is a wildcard, the row matches and the users or groups are added to the project group or made the default project owner.

● Hierarchical field matches can be matched by child field values. For example, if you use a Commodity as a field name column and specify a top-level commodity value in the rules file, any project value that is a child of the top-level commodity will match. If the field in the template project uses any of the child commodities under that parent, the row matches and the users or groups are added to the project group or as the default project owner.Child field matches can be used for the Commodity, Regions, Departments, and Product hierarchical fields.



How to create team member rules files

You use a team member rules file to automatically add project team members when a project is created. You must use a team member rules file to prepopulate the Project Owner group in projects created from a template.

Prerequisites


Procedure

1. Create or open a project template. If the status is not Draft, create a new version as described in Creating a New Version of a Template and Enabling Editing [page 86].

2. Download a team member rules template that contains the project template’s current project groups and field names. On the template’s Team tab, choose Actions Team Member Rules Download Template .

3. Save the team member rules file template XLS file to the location of your choice.4. Edit the team member rules file template to create team member rules. Enter values in columns on the Team

Member rules sheet according to the following table.

If you want the rule to apply to all of the possible values for a column, enter a wildcard (*) in the column or leave it blank.

If you want the rule to apply to a range of values for a column, use the tilde character (~). Range expressions are inclusive on the lower boundary but not on the upper boundary. For example, to create a rule that applies to every value of 1000 and over, enter 1000~; to create a rule that applies to every value from 0 to 3, enter 0~4; to create a rule that applies to every value below 1000 (but not 1000 itself), enter ~1000. You can only use range expressions in rules for numeric fields.


Column Description

Field_Name The Field_Name columns represent the names of different SAP Ariba fields. If the Field_Name value you specify in this column matches values in a project created from the template, the template adds the users or groups in the row to the project group, or makes the specified user the default project owner. For the Supplier field in supplier workspace profiles, you must include the full field name using dot notation; for example, the full name of the Country field is Supplier.CorporateAddress.Country. The Field Names tab in a team member rules file template lists the full names for all current fields in the project template from which it was downloaded.

You must always supply either a specific value or a wildcard for Field_Name columns. You cannot enter multiple values in a Field_Name column. However, you can include multiple Field_Name columns in a rule file; the values in all Field_Name columns in a row must match in order for the template to add the users or group to the project group, or to make the specified user the default project owner.

Some data field values must match specific values in the system, such as values for regions or commodity codes. For these field types, you can use an export task to find out what the specific values should be. If you cannot access the necessary export events, contact the Customer Administrator in your organization.

If you are using date fields or data fields with numeric values that are mapped to an element in a vector, such as commodity codes, you must force Microsoft Excel to store the value as text. To do this, either change the format of the column to type Text in Microsoft Excel or prefix the value with an apostrophe (‘); for example, for a value of 500, enter ‘500.

NoteValues for countries must be 2-letter ISO country codes.

For more information about how the system matches values in Field_Name columns with values in projects, see Understanding Rule Matching in Template Projects [page 198].

ProjectGroup The name of the project group to which you want to add users or groups; for example, Project Owner. You must supply a value for this column. The Project Groups tab in a team member rules file template lists all of the current project groups in the project template from which it was downloaded.

User The user names of the users you want to assign to a project group; for example, bobsmith. You do not have to supply a value for this column; you should only use it if you want to assign individual users to the project group.

You can enter one user name, or multiple user names separated by colons (:); for example, bobsmith:tomjones:anndavis.

PasswordAdapter The password adapter associated with the user name or user names. SAP Ariba solutions use password adapters to distinguish between users that have the same user names. The default password adapter values are PasswordAdapter1 (for internal users at your company, the buyer organization) and SourcingSupplierUser (for external supplier and customer organization users). Use this column only if you have also entered one or more values in the User column.

You can only enter one value per row in this column, so if you want to create rules for both buyer and supplier users, you must create two separate rules, one for each PasswordAdapter value.



Column Description

Group The name of the global user group that you want to assign to the project group; for example, Supplier/Customer Manager or Supplier Registration Manager

.

You do not have to supply a value for this column. If you do supply a value, and you also supply a value in the User column on the same row, both values are added to the project group. You can enter one group, or multiple groups separated by colons (:).

OwnerID The user name of the default project owner for all projects created from the template; for example, bobsmith.

You do not have to supply a value for this column; you should only use it if you want to make a specific user or users the default project owner for all projects created from the template. If there is no value specified in this column, the new project is owned by the user who created the project and the members of the Project Owner group.

In the supplier workspace, request, registration, qualification, and preferred supplier management templates, the project owner is the account owner or category manager for the supplier. You can assign specific users as owners for specific projects created from the template, or specify aribasystem as the default, unassigned owner. Specifying aribasystem in the template means that the person who creates the project is not the project owner by default, so that ownership of the supplier project can be assigned to the correct owner at a later time.

NoteYou should exercise caution when making a single user a default project owner in the template. When a user creates a project that matches the template’s rules for default project ownership, the user who created the project is not the project owner and cannot manage the project; only the default project owner can. There are specific cases where default project ownership is useful. For example, whenever different users in solutions that include SAP Ariba Supplier Information and Performance Management (classic architecture) create unapproved supplier organizations, they automatically create associated supplier workspaces that they are not intended to manage; your supplier workspace template should route default ownership of those supplier workspace projects to the specific Supplier/Customer Manager users who manage specific sets of suppliers. However, it is usually important for the user who created a contract workspace, SAP Ariba Sourcing event, or SPM project to own and manage the project, instead of using the template to assign a default owner.

OwnerPasswordAdapter The password adapter associated with the owner’s username. The default password adapter values are the same as those for the PasswordAdapter column. Use this column only if you have also entered one or more values in the OwnerId column.

Hierarchical region example

The following example shows a team member rules file with a rule that specifies a parent region (APAC):

Region,ProjectGroup,Group,User,PasswordAdapter,OwnerId,OwnerPasswordAdapter

APAC,My Project Group,My Group,xleo:hlei,PasswordAdapter1,hlei,PasswordAdapter1


The region APAC is a parent region that contains China as a child. If a project created from the template has China as its Region field value, the following additions are made to the project:

● every user in the global My Group group is assigned to the My Project Group project group● the users xleo and hlei are assigned to the My Project Group project group● the user hlei becomes the default project owner

How to add team member rules to a template


Prerequisites


Context

You add team rules to a template by uploading team member rules files on the Documents or Team tab. You cannot create tasks for team member rules file documents or set conditions on them.

There is no limit to the number of team member rules files you can add to a template. Each team member rules file that you upload to a template adds to the total set of team member rules the template uses. To modify a template’s existing team rules, you must make edits to the appropriate team member rules file on your local computer and upload the file as a replacement document.

Procedure


2. On the Team tab, choose Actions Team Member Rules Upload Rules File .3. Select the team rules file to upload (browse for the file, enter the file path, or drop a file icon in the drag-and-

drop box).4. Add an optional description. SAP Ariba recommends that you describe the type of rules the file creates, so that

users who edit the template can see them at a glance.5. Set other properties for the rules file, such as base language and keywords.6. Click Create.



Results

The uploaded team member rules file now appears on the template’s Documents tab.

How to validate team member rules


Prerequisites


Context

You validate team member rules by publishing the rules file document. You should only publish a team member rules file after you have finalized the rules and are just checking for technical errors in the file. For most types of projects, once you have successfully published a template document, any edits you make will only apply to projects created from the republished template; they will not apply retroactively to existing projects. You can upgrade supplier workspace and SPM projects to new template versions that include new versions of team member rules; you cannot upgrade supplier request, registration, qualification, disqualification, and preferred supplier management proejcts to a new template version..

Procedure


2. On the Documents tab, click the team rules file you want to validate and choose Publish.

If the team member rules file does not contain any syntax or data errors, the document publishes. If it does contain errors, a validation error message displays at the top of the page, and the team member rules file document is not published. You cannot publish a template that contains team member rules files with validation errors.

3. If you see a validation error, correct the problems in the team member rules file and publish it again. Validation error messages are displayed at the top of the SAP Ariba page.


Topics about setting up supplier form and questionnaire approvals

You define the approval process for a supplier form or questionnaire in an associated approval task.

About approval rules in project templates [page 204]

Informacje o grupach w obiegach zatwierdzeń [page 206]

How to create or edit approval rules [page 206]

About the approval rules editor [page 208]

How to create a simple approval rule [page 210]

How to edit approval flows with the approval process diagram [page 211]

Using approval rule conditions [page 213]

How to add approvers in the approval rule editor [page 216]

Example: how to create a conditional approval flow based on the risk assessment project's region [page 217]

About approval rules in project templates

Template authors can use the approval rule editor to create or edit sets of custom approval rules that can include both parallel and serial approvers, conditions for approvers, or approval rule lookup tables.

Template authors can also specify a simple set of parallel or serial approvers directly in the Approvers or Reviewers field. This method provides a simple way to specify approvers but does not include all the functionality provided by the approval rule editor.

NoteDo not add approvers to an approval task that you have set to auto approve. You cannot publish supplier request, supplier registration, supplier qualification, supplier qualification request, supplier disqualification, preferred supplier management, or modular supplier management questionnaire project templates that include an approval task with approvers and Allow auto approval set to Yes.

Informacje dotyczące szeregowych i równoległych osób zatwierdzających

Osoby zatwierdzające (lub weryfikatorzy) mogą być szeregowymi lub równoległymi osobami zatwierdzającymi.

Szeregowe osoby zatwierdzające są przypisywane kolejno w kolejności, w jakiej pojawiają się na schemacie obiegu zatwierdzeń (od lewej do prawej). SAP Ariba nie aktywuje węzła w obiegu (przypisuje zadanie osobie zatwierdzającej w węźle), dopóki poprzednie osoby zatwierdzające (osoby zatwierdzające po lewej stronie w obiegu zatwierdzeń) nie prześlą zatwierdzeń lub weryfikacji. W kolejnym obiegu zatwierdzeń, SAP Ariba najpierw przypisuje zadanie użytkownikowi AAA. Po przesłaniu zatwierdzenia przez AAA, SAP Ariba przypisuje zadanie użytkownikowi BBB.



Równoległe osoby zatwierdzające są przypisywane jednocześnie. SAP Ariba przypisuje zadanie osobom zatwierdzającym w tym samym czasie. W kolejnym obiegu zatwierdzeń, SAP Ariba przypisuje zadanie użytkownikom AAA i BBB w tym samym czasie.

Obieg zatwierdzeń może zawierać kombinację równoległych i szeregowych osób zatwierdzających.

Setting up ad hoc approval for risk engagement requests and assessments

Supplier or third-party risk engagements allow users to add ad-hoc approvers for any approval task that has an empty approval flow in the project template.

Other types of SAP Ariba projects allow approvers to add ad hoc approvers to defined approval flows by editing the approval task. Users cannot edit tasks in risk engagements to add approvers. However, if the approval task has an empty approval flow, users in the Supplier Risk Engagement Governance Analyst group see a button on the engagement page that allows them to add one or more approvers for the task.

To enable ad hoc approval on a task with a defined approval flow, edit the task to delete all approval nodes. An approval task is empty when there are no approval nodes between the Submitted and Approved boxes in the approval flow editor. To enable ad hoc approval on a new approval task, do not add any approvers to its approval flow.

Related Information

How to create or edit approval rules [page 206]


Informacje o grupach w obiegach zatwierdzeń

Po dodaniu grupy do obiegu zatwierdzeń (lub weryfikacji), SAP Ariba może wykonać następujące działania:

● Rozwinięcie grupy (i ewentualnych podgrup) oraz wstawienie każdego użytkownika jako równoległej osoby zatwierdzającej (lub weryfikatora) do obiegu zatwierdzeń. Każdy użytkownik otrzymuje powiadomienie o zadaniu. Wszyscy użytkownicy w grupie są potrzebni do zatwierdzenia (lub weryfikacji) dokumentu. Po zatwierdzeniu (lub weryfikacji) dokumentu przez wszystkich użytkowników w grupie obieg zatwierdzeń przechodzi do kolejnych osób zatwierdzających.

● Wstawienie grupy jako pojedynczej jednostki do obiegu zatwierdzeń. Wszyscy użytkownicy w grupie otrzymują powiadomienie o zadaniu. Każdy użytkownik w grupie ma wystarczające uprawnienia do zatwierdzenia zadania (lub przejścia do następnej osoby zatwierdzającej w obiegu szeregowym).

Sposób działania podczas dodawania grupy do obiegu zatwierdzeń jest określany przez metodę, której używasz do dodawania osoby zatwierdzającej.

● Jeśli dodajesz grupę za pomocą graficznego edytora obiegu zatwierdzeń, okienko dodawania osoby zatwierdzającej zawiera opcję Wymagane zatwierdzenie przez wszystkie osoby zatwierdzające? Jeśli wybierzesz Nie, SAP Ariba wstawi grupę jako pojedynczą jednostkę w obiegu zatwierdzeń. Jeśli wybierzesz Tak, SAP Ariba rozwinie grupę i wstawi każdego użytkownika jako równoległą osobę zatwierdzającą. Wartość domyślna to Nie.

● Jeśli dodasz grupę jako osobę zatwierdzającą bezpośrednio w edytowalnym polu Osoby zatwierdzające lub Weryfikatorzy w oknie zadania dla szeregowego lub równoległego obiegu zatwierdzeń, SAP Ariba nie rozwinie grupy.

● Jeśli grupa została odziedziczona z pliku tablicy przeglądowej osób zatwierdzających w szablonie, SAP Ariba nie rozwinie grupy.

How to create or edit approval rules

Approval rules specify who has to review or approve a document.

Prerequisites


Procedure


2. If the task does not already exist, select the appropriate document and click Create New Task Review , Approval, or Negotiation. The system opens a window to create the task.



If the task already exists, click the task name and click Action View Task Details . In the task area, click Actions Task Edit .

3. Use one of the following methods to add approvers:

○ Specify a simple set of parallel or serial approvers directly in the Approvers or Reviewers field. Select Parallel or Serial for the approval flow type, then use the pull-down menu in the Reviewers or Approvers field to add approvers without using the approval rule editor. See Limitations when specifying approvers in the approvers or reviewers field [page 207] for limitations.

○ Open the approval rules editor. In the window for a new task or task without an approval flow, navigate to the Approvers or Reviewers field, then click one of the following:

○ an approval flow icon (such as ).○ a link for an approval flow type (Parallel, Serial, or Custom)○ If you are working on an existing task with an approval flow, click View Task Details, then click the

Review Flow, Negotiation Flow, or Approval Flow tab.

NoteIf you select Parallel or Serial for the approval flow type and use the approval rule editor to add approvers, the system changes the approval flow type to Custom.

If you have a Custom approval flow and change the approval flow type to Parallel or Serial, the system removes all customization data from the approval flow, including:○ Any condition for each rule.○ Any rule that uses an approver lookup table file.○ The Required Approver or Watcher option. All approvers become required approvers.○ The title, description, and reason for each approver.

Limitations when specifying approvers in the approvers or reviewers field

If the approval rule flow type is parallel or serial, template authors can specify a simple set of parallel or serial approvers directly in the Approvers or Reviewers field, with the following limitations:

● The approval flow can contain either parallel or serial approvers, but not both parallel and serial approvers.● You cannot add any watchers to the flow.● You cannot specify any conditions for the approvers.● You cannot use approval rule lookup tables.● You cannot move approvers in the flow.● If you specify multiple serial approvers, you must add the approvers in order from last to first; the last reviewer

you specify will be the first approver in the approval flow.● If you select a group as an approver, there is no option to expand the group and require all users in the group to

approve (or review) the document. Only one user in the group is needed to approve (or review) the document. After one user in the group approves the document, the approval flow moves to successive approvers. If you want to require all users in a group to approve a document, you must add the group using the approval rule editor.

● You cannot use the Add Launch Approver or Add Contract Approver action to conditionally add the Sourcing Approver or Contract Approver group to an approval flowSpecifying Actions to Add Approvers and Groups [page 216].


● You cannot use the Add Supervisor action create a supervisor rule, which adds the supervisor of a user project field to an approval flow by notification profiles.

● The system adds the following text as the reason for the approver: Action is required. By default, this text is included in email notifications sent to approvers.

About the approval rules editor

As an alternative to specifying approvers directly in the Approvers or Reviewers field, you can use the approval rule editor in a project template. The approval flow editor enables you to create a mix of parallel and serial approvers and to specify conditional approvers. From top to bottom, the approval rule editor contains the following sections:

● Approval Process Diagram. Add rules here or select a rule to see the condition and action.● Approval Rule Editor. Specify or view the condition that triggers the action (add users or groups) for the rule

selected in the diagram. It contains the following sections:○ Condition: Specify a condition for the action. If you always want the action to occur, use the default

condition (an empty All Are True condition).○ Action. Specify or view the action taken when the condition is met. The action specifies if approvers are

added by selecting individual users or groups using a drop-down menu or by using an Approver Lookup Table.

● Parameters. Specify parameters for the rule selected in the diagram. If you are not using an Approver Lookup table, use the drop-down menu to select the users or groups to add to the approval flow.



For example:

The approval rules for a given task are shown in the Approval Process Diagram. Each approval rule consists of:

● A condition.The condition in an approval rule contains one or more references to conditions defined for the template.

● An action.The action adds specified approvers to the approval flow. If the condition is met, then the system performs the action and adds the specified approvers to the approval flow.

Creating a condition is optional; if you do not create a condition, the default condition (an empty All Are True condition) always evaluates to true and the action always occurs.

In this example, the approval process diagram has the rule Over $100M. The rule Over $100M is highlighted and the editor shows the condition and action for this rule: if the template condition Contract Amount Over $100M is true, the system takes the action to add the user Max Olson to the approval flow.

To configure approval rules, you:

1. Add one or more approval rules, which are shown in the approval process diagram. For information about working with the approval process diagram, see How to edit approval flows with the approval process diagram [page 211].


2. (Optional) Specify a condition for each approval rule. The condition contains references to template conditions. The approval rule editor includes a feature that enables you to define a template condition if one does not already exist. For information about working with conditions, see Working with Approval Rule Conditions [page 213].

3. Specify an action for each approval rule to add approvers. For information about adding approvers, see How to add approvers in the approval rule editor [page 216].

Related Information

How to create a simple approval rule [page 210]

How to create a simple approval rule


Prerequisites


Context

You can create a simple approval rule without using an approval rules table. Each approval rule adds one approver or group of approvers to the approval flow.

Procedure

1. Create a new task in a template or edit an existing template task from the View Task Details page.

2. Select the approval flow type and click the corresponding approval flow icon (such as ).The approval rule editor opens.

3. In the approval process diagram, click Add Initial Rule.4. Specify a a name in the Rule Title field and add text for the Rule Description.5. Optional: If you always want the approvers in this rule to be added, leave the Condition area as it is (containing

only the All Are True statement). If you want to add the approvers based on a condition, see Using approval rule conditions [page 213].



6. In the Action area, select Add Approvers and Groups if it is not already selected. From the Action pull-down menu, choose the type of approver you want to add:

○ Add Approvers: adds one or more individual users, groups, or project groups.○ Add Group: adds one global group.○ Add Project Group: adds one project group.○ Add Contract Approver: adds the Contract Approvers global group if the required conditions are met. For

more information, see Specifying Actions to Add Approvers and Groups [page 216].○ Add Launch Approver: adds the Sourcing Approver global group if the required conditions are met. For

more information, see Specifying Actions to Add Approvers and Groups [page 216].○ Add Supervisor. Adds the supervisor of a project user field (such as the Owner field) to the approval flow

using notification profiles. The rule can also be “chained” to repeatedly add supervisors.7. Specify the appropriate parameter values for the approvers as follows:

○ All users in group have to approve: This field is present only if you are adding a global group or project group to the approval flow. If selected, the system expands the group and adds each user in the group as an individual parallel node in the approval flow. Each user in the group must approve (or review) the document.

○ If the All users in group have to approve option is not selected, the system adds the group as a single entity in the flow and only one user in the group is needed to approve (or review) the document. After any one user in the group approves the document, the approval flow moves to successive approvers.

○ Approval required: If selected, the approver must approve or review the document associated with the task (this is the default value). If this option is not selected, the approver is added as a watcher. A watcher cannot approve the task but can view the task and the approval flow.

○ Approving Group, Approver(s) to be added to the flow, or ProjectGroup to be added to the flow: Select the group or users to be added.

○ Reason: Reason for adding the approvers. This field is optional. By default, the text you specify in this field is included in email notifications sent to approvers.

8. To add additional approval rules to the flow, go back to the Approval Process Diagram and click the action triangle button ( ) where you want to add the node in the flow.

The new node is highlighted in green to indicate that the contents of the Approval Rule Editor apply to this node.

9. Click Done.

Related Information

About the approval rules editor [page 208]

How to edit approval flows with the approval process diagram

Approval rules in approval flows specify who has to review or approve a document. You can define an approval flow with multiple rules using an approval process diagram.


Prerequisites


Context

Each box, or node, in an approval flow represents an approval rule. Approval rules are processed in order from left to right. When the system creates an approval flow from the approval rules, it evaluates the condition for each rule and adds the approvers specified in the action for the rule.

Nodes in an approval flow have action triangle buttons () you can click to add or move nodes . To delete an approval rule, click the “X” button ().

Procedure

1. Open the approval flow editor as described in Creating or Editing Approval Rules [page 206].2. To add an approval rule:

a. Click the area in the approval flow where you want to add the approver (or reviewer).○ If there are no approvers in the approval flow, click Add Initial Approver to add an approver. This

button is available only when there are no approvers.○ If you are adding a serial approval rule to a flow with existing rules, click the action triangle button ()

where you want to add the approval rule.○ If you are adding a parallel approval rule to a flow with existing rules, click the left-most action triangle

button () in the flow.b. Choose Add Serial Rule or Add Parallel Rule.c. To specify where the parallel rule or flow should connect back into the main approval process, click a blue

target (). (If there is only one position possible, the position is selected for you.)d. In the approval rule editor below the diagram, enter a title and description for the new rule.

3. To move an approval rule:

a. Click the left or right triangle action button () beside the approval rule you want to move.b. Choose Move Rule.

Blue targets ( ) indicate the possible positions for the rule.c. Click one of the blue targets to move the rule to the corresponding position.

The updated diagram shows the new position of the moved rule.4. To delete an approval rule:

a. Click the “X” button () on the approval rule you want to delete.b. Click OK when prompted for confirmation.



Next Steps

● (Optional) Specify a condition for this rule (Using approval rule conditions [page 213]).● Add approvers.

Related Information

How to add approvers in the approval rule editor [page 216]

Using approval rule conditions

NoteSpecifying a condition for an approval rule is optional. If an approval rule has no condition defined, the system always performs the action specified for that rule.

A condition for an approval rule consists of components. The components can be:

● References to a condition, which are references to a condition defined for the template. The approval rule editor also enables you to create a template condition and add a reference to the new condition.

● Subconditions, which contain a set of condition components that are evaluated together with a series of logical operators. Subconditions enable you to build conditions with multiple components.

● Document field matches, which evaluate to true or false depending on field values in document forms.

NoteYou can also define conditions and actions based on an approver lookup table.

A condition in an approval rule always contains at least one subcondition. In its simplest form, an approval rule condition consists of a subcondition that contains a reference to a template condition. For example, you could have the following condition expression:

All Are True Regions is equal to USA

This condition expression consists of the All Are True subcondition and the field match Regions is equal to USA.

NoteAll condition expressions start with a subcondition, even if the only additional component is a field match or a reference to a condition.


References to a condition

When you choose to add a reference to a condition, the system opens a window with a chooser for conditions already defined in the project template and a Create Condition link you can click to open the condition editor and create a new condition for the template. For more information about the condition editor, see Defining Approval Rule Conditions [page 214].

Subconditions

Subconditions enable you to group and evaluate a set of condition components as a whole.

In the following figure, All Are True is the subcondition.

There are three subcondition types:

● All Are True. For this subcondition to be true, all the condition components that it contains must be true. Conceptually, the All Are True subcondition places AND operators between the condition components in the set.

● Any Are True. For this subcondition to be true, at least one of the condition components that it contains must be true. Conceptually, the Any Are True subcondition places OR operators between the condition components in the set.

● None Is True. For this subcondition to be true, all condition components that it contains must be false. Conceptually, the None Is True subcondition uses NOT...AND NOT operators:NOT condition component 1 AND NOT condition component 2 AND NOT condition component 3.

An approval condition can contain multiple subconditions (and components). You add condition components from left to right in the condition builder. The components are evaluated in the opposite direction—from right to left.

How to define approval rule conditions

Context

Use the condition builder in the approval rule editor to define the condition for an approval rule.



Procedure

1. Open the approval flow editor as described in Creating or Editing Approval Rules [page 206].2. In the approval process diagram, select the rule for which you want to build a condition.

3. Click the action triangle button () next to All Are True. All conditions must start with a subcondition even if you plan to add only one other condition component. The default initial subcondition is All Are True. If you want to change the subcondition type, scroll down to the Change To area and choose the new type. For more information on subcondition types, see Subconditions [page 214].

To create a new template condition or to add a reference to a project template condition, click the action triangle button next to All Are True, then click Reference to Condition.

The system opens a pane with a Reference to Condition field and a Create Condition link.

To use an existing project template condition, click the arrow button next to the Reference to Condition field. A chooser opens with the existing project template conditions.

To create a new project condition, click Create Condition. You can also use this link to define a document field condition..

4. Enter a name for the condition, such as RegionIsEMEA.

5. Enter a description for the condition.6. All conditions start with the subcondition All Are True. If you want to change the subcondition type, click the

action triangle button () next to All Are True, then select a type under Change To, such as None Is True.

7. To add a field match, click the triangle button next to All Are True, then click Add Condition Field Match .

A field match builder opens. Click Select. A pull-down menu opens with project fields commonly used for field matches.

8. Select a project field, such as Regions. If you want to use a field that is not listed or to use a subfield (such as the country in the customer or supplier address), click more fields to open a complete list of project fields. Click Select for the field you want to use and click Done.

9. Select an operator from the pull-down menu, such as is equal to.10. Click Select to the right of the (No Value Selected) text to specify the value for the field match.

Depending on the data type for the field, the system displays a pull-down menu with acceptable values, a selection pane, or data entry pane. Enter or choose the value, set of values, or range of values (as applicable) that you want to match.

If a field can have multiple values, the system displays a selection pane. Clicking Select opens a chooser that enables you to specify a set of multiple values for the field match. The condition will be true if any of the field values in the set are matched. To create a condition that is true if all of the specified field values are matched, you must create a condition expression with the All of operator and multiple field matches, where each field match specifies a single value.

11. Continue adding condition components as necessary.12. Click OK.


How to add approvers in the approval rule editor


Prerequisites


Procedure

1. Open the approval rule editor as described in How to create or edit approval rules [page 206].2. In the Approval Process Diagram area, select the rule (node) for which you want to add approvers.3. (Optional) Specify or create a condition for the action as described in Defining Approval Rule Conditions [page

214].4. In the Action area, select one of the following options to add approvers.

○ Add Approvers and Groups: Specify a user, global group, or project group from the Action pull-down menu.You can also use this option to add the supervisor of a project user field (such as the Owner field) to the approval flow. This action can also be “chained” to repeatedly add supervisors.

○ Use Approver Lookup Table: Use an Microsoft Excel XLS lookup table to determine which approver to add based on project field values. For example, you could have an approver lookup table that lists commodity codes and specifies which approver to add for each code.

5. If you selected Add Approvers and Groups, navigate to the Action pull-down menu and select the type of approver you want to add:

○ Add Approvers: adds one or more individual users.○ Add Group: adds one global group.○ Add Project Group: adds one or more project groups.○ Add Launch Approver: adds the Sourcing Approver global group in SAP Ariba Sourcing if the following

conditions are true:-the task is an Approval for Publish task for a Sourcing event-the user attempting to publish the event does not have PublishEvent permission-the system parameter Application.AQS.RFX.SuppressRuntimeEditApprovals is set to no

○ Add Contract Approver: adds the Contract Approver global group in SAP Ariba Contracts if the task is an approval task for an entire contract workspace or contract request.

○ Add Supervisor: adds the supervisor of a user in a selected user field using notification profiles.

NoteFor supplier management project approval flows, only add project groups. In the case of a missing approver in a supplier management project approval flow, the add missing approver tool does not appear if you are attempting to add an unsupported approver category.



6. Select the appropriate parameters and approvers. Complete the fields as follows:

○ All users in group have to approveThis field is present only if you are adding a global group or project group to the approval flow. If selected, the system expands the group and adds each user in the group as an individual node in the approval flow. Each user in the group must approve (or review) the document. If this option is not selected, only one user in the group is required to approve (or review) the document. After one user in the group approves the document, the approval flow moves to successive approvers.

○ Approval RequiredIf selected, the approver must approve or review the document associated with the task (this is the default value). If this option is not selected, the approver is added as a watcher. A watcher cannot approve the task but can view the task and the approval flow.

○ Approver(s) to be added to the flow○○ Group

Specifies the users, project group, or global group to be added to the approval flow. Click the pull-down menu and then click Search for more to open a chooser.

○ ReasonReason for adding the approvers.

7. Click Done.

Example: how to create a conditional approval flow based on the risk assessment project's region

Prerequisites

This example assumes that there is a required question of answer type Region, with matrix.Regions in the Supplier Field Mapping field, in your supplier or third-party engagement request, asking where the engagement will occur.

Context

This example uses a question in the engagement request asking for the region in which the potential engagement will occur. You want to be able to route the approval of the request to the team responsible for governance in the appropriate region. To do that, you will create project groups for region-based governance teams, then create a project-level condition based on region. You will use those two components to set up the engagement request approval flow to add approvers from the correct-region-based governance team to the request approval flow.

Procedure

1. Open the risk assessment project template. If the status is not Draft, create a new version.


2. Create a project condition based on a value of Europe for the region question:a. Click the Conditions tab.b. Click Add Condition.c. Enter a name for the project condition, such as Europe.d. (Optional) Enter a description for the condition.e. For the expression, click All are true and choose Field Match.

f. Choose Select Regions .g. For the operator, choose is equal to.

h. To set the value, choose Select Select Value .i. Click the Select link.j. In the list of regions, check Europe and click Done.k. Click OK.

3. Create a new project group for governance experts for Europe by performing the following steps:a. Click the Team tab.

b. Choose Actions Team Members Edit .c. Click Add Group.d. In the Title field, enter a name for the group, as European Governancee. If your site uses team member rules to assign users to project groups, set up a team member rule for the

new project group. Otherwise, use the dropdown menu in the Members column to add users to the new project group.

f. Click OK.4. Create a new approval rule that adds the new group as an approver to every engagement request where the

requester answers Europe for the engagement location question:a. Click the Tasks tab.b. Expand the first phase, click the approval task for the engagement request, and choose Edit Task.c. For Approval Rule Flow Type, choose Custom.d. Click Custom to open the approval flow editor.e. In the Approval Process Diagram area, click Add Initial Rule (if no approvals have been set up yet), or

click the action triangle button () to the left of the an existing approval node and choose Add Serial Rule (if an approval has already been set up).

A new, untitled node appears.f. In the Approval Rule Editor area, enter a name for the node, such as European Governance, and a

description, such as Adds European governance experts to the approval flow of European engagements.

g. In the Condition area, click the action triangle button () next to All Are True and choose Add Condition Reference to Condition .

h. On the Reference to Condition dropdown menu, choose Search more, then click the Select button to the right of the Europe condition.

i. Click OK.j. In the Action area, for Type, choose Add Approvers and Groups.k. From the Action dropdown menu, choose Add Project Group.l. Select Approval Required.m. For ProjectGroup to be added to the flow?, on the dropdown menu, choose Search more. Click the

Select button next to European Governance, then click Done.



n. For Reason for the specified approver(s) to be added to the flow , enter a reason such as A European governance expert must approve all requests for engagements that occur in Europe.

o. Click Done.5. Repeat these steps to add conditions, project groups, and approval nodes for other regions. Note that you can

add approval nodes for each region serially or in parallel, since only one of the regional nodes will be active in the approval flow for any given engagement.

Results

When you publish the template, and a requester answers Europe for the region question in the engagement request, the following actions occur in the risk assessment project:

● The answer triggers project condition for region = Europe.● The European Governance node is added to the engagement request approval flow.● Members of the European Governance project group receive notifications of the approval task, and one of

them is responsible for reviewing and approving the engagement request.

Related Information

How to edit a project template [page 86]Topics about team member rules to add project groups and team members [page 196]

Topics about customizing notifications for risk assessment and related projects

Customizing email notification templates for risk assessment and related projects [page 219]

Topics about customizing project-level notifications [page 220]

How to customize the questionnaire invitations sent to suppliers [page 226]

How to add email template tokens [page 227]

How to add translated text to email notification templates [page 229]

Customizing email notification templates for risk assessment and related projects

Risk assessment, issue management, and modular supplier management questionnaire projects use email notification templates to create notifications for various risk assessment-related activities. You can customize these notifications.


Risk assessment and related projects use two different types of notification templates:

● Project-level notifications, which you manage in the Project Manager Project Email Templates task in Ariba Administrator. These notifications are sent to stakeholders who need to complete To Do, review, or approval tasks and when other project-related activities occur. Risk assessment, issue management, and modular supplier management questionnaires all use project-level notifications.

● Assessment questionnaire invitations to suppliers, which you manage from the Summary page of the questionnaire survey document. These notifications are sent to suppliers and invite them to fill out assessment questionnaires. Modular supplier management questionnaires for control-based engagement risk assessments and legacy risk assessment questionnaires both use these supplier invitations.

You can customize email notifications by:

● Modifying the subject and body of the email notification messages.● Formatting text in the body of the message. The email template editor includes a rich-text editor that enables

you to add formatting effects, including:○ Font changes○ Bold, italic, and underlined text○ Bulleted and numbered lists○ Background and font color changes

● Adding email template tokens to the email subject or text. Email template tokens are references or placeholders for information that is provided by the system when the email generated from the template is sent. The information can come from project field values, information about a task or phase, or be generated by the system for the email message itself, such as the recipient's email address.

● Providing translated text for the email subject or text.

NoteNotifications sent to suppliers or other third parties must always clearly identify your company as the sender. You can use the [SYSTEM_CORPORATE_NAME] email template token (in project-level email templates) or the [SPONSOR_CORPORATE_NAME] email template token (in assessment invitations) to automatically insert your company's name into the notification.

Related Information

How to customize project-level email templates [page 221]How to customize the questionnaire invitations sent to suppliers [page 226]

Topics about customizing project-level notifications

How to customize project-level email templates [page 221]

Notifications related to projects [page 222]

Notifications related to tasks [page 223]

Notifications related to modular supplier management questionnaires [page 224]



Notifications related to control-based engagement risk assessment projects [page 225]

How to customize project-level email templates

You customize project-level email templates using the Project Manager Project Email Templates task in Ariba Administrator.

Prerequisites

You must be a member of one of the following groups:

● Project Email Templates Administrator● Contract Administrator● Project Administrator● Customer Administrator● A group with the Project Email Templates Administrator role

You must be a member of the Template Creator or Customer Administrator group to edit email templates in survey documents in project templates.

You must be the project owner to edit email templates in survey documents in individual projects, and the event owner to edit email templates in individual sourcing events.

Context


Procedure

1. Click Manage Administration .

2. Choose Project Manager Project Email Templates Project Manager.3. Select the template you want to edit and click Edit.4. If you are editing a notification in the All Applicable Types section in order to create a notification for a specific

project type (such as a sourcing project), select the type from the Project Type dropdown menu.


Tip○ If you are editing a notification that is already associated with a specific project type, this option is not

available.○ Selecting a specific project type makes it easier to add email template tokens that are specific to that

project type. If you create or modify a template for All Applicable Types, the email token chooser displays only the subset of email template tokens that apply to all project types.

○ If you select a project type and a template already exists for that type, the system asks if you want to open and load the existing template for that project type.

○ If you click Cancel, the text from the current template remains loaded in the editor but the system changes the project type to the type you selected. This operation enables you to copy a template for one project type (the project type of the template you originally opened) for use with another project type (the project type you selected after opening the template).

○ If you click OK, the system loads the existing template for the selected project type and discards any changes you made in the current template.

5. Make changes or additions to the text and add formatting to meet your needs.6. (Optional) Add or remove email template tokens. To remove email template tokens, delete the text and the

square brackets.7. (Optional) Add any translations.8. Click Save to save the edited template.9. Click Done to exit the email template editor.

Notifications related to projects

In general, SAP Ariba solutions do not send notifications specifically for completed or cancelled projects. The only event that triggers a notification for a completed or cancelled project is a change in project state.

Users must be in a project group with the Active Team Member or Project Owner role to receive project-related notifications.

SAP Ariba solutions do not send notifications about projects to owners or members of related subprojects.

SAP Ariba solutions send notifications for the following events related to projects:

● A team member is added to a project team group○ Project - Sent to a user who is added to a project group.

This notification is sent only to the user being added and is not sent to project owners. These notifications are not sent when team members are added to a project team group at project creation time.

● A team member is removed from a project team group○ Project - Sent to a user who is removed from a project group.

This notification is sent only to the user being deleted and is not sent to project owners.● A project status changes

○ Project - Sent to project team members when the project state changes or a project is created.



Notifications related to tasks

Task owners and template authors can specify the recipients and schedules for some notifications in the notification profile for a task. For more information, see the Using Task Notification Profiles and Parameters topic in the Product Documentation For Users section of the Learning Center and the Project Template Guide.

SAP Ariba solutions send notifications for the following events related to tasks and phases:

● A task can be started○ Task - Sent to the task owner when a task can be started because its predecessors have been

completed.● A self-starting task is started

○ Task - Sent to the task owner when a task has been started because its predecessors have been completed.

● A self-starting task cannot be started○ Task - Sent to the task owner when a task cannot be started even though its predecessors have been

completed.● A self-starting phase is started

○ Phases - Sent to the project owner when a phase has been started because its predecessors have been completed.

● A self-starting phase cannot be started○ Phases - Sent to the project owner when a phase cannot be started even though its predecessors have

been completed.● A To Do task is assigned

○ Task - Sent to a task owner when a reviewer/approver is assigned or when a user is assigned as the owner of a To Do task.

○ Task - Sent to a user acting on behalf of another user when a task is delegated to the user.● The scheduled send date for a notification task occurs

If the notification task is associated with a document, and the recipient is an internal user, the notification includes the document as an attachment. If the user is an external user, the document is not included.○ Task - Notification sent to notification task recipients and the task owner.

● An approver or reviewer is assigned to a review, approval, or negotiation taskNotifications sent to internal and external reviewers and approvers include a copy of the document.○ Task - Sent to a task owner when a reviewer/approver is assigned or when a user is assigned as the

owner of a To Do task.○ Task - Sent to a user acting on behalf of another user when a task is delegated to the user.○ Task - Sent to internal users when they are assigned a review task.○ Task -Sent to internal users when they are assigned an approval task.○ Task - Sent to internal users when they are assigned a review task and Offline Email Approvals are

enabled.○ Task - Sent to internal users when they are assigned an approval task and Offline Email Approvals are

enabled.○ Task - Sent to external email reviewers when they are assigned a review task.

● A watcher is assigned to a review, approval, or negotiation taskThe notification includes a copy of the document.○ Task - Sent to a watcher assigned to an approval task○ Task - Sent to a watcher assigned to a review task


● An approver or reviewer completes an action on a review, approval, or negotiation task○ Task - Sent to the task owner when an approver approves a document.○ Task - Sent to the approval task owner if the task is denied.○ Task - Sent to the approval task owner when the task is fully approved.○ Task - Sent to the task owner when a reviewer reviews a document.○ Task - Sent to the review task owner when the task is fully reviewed.

● A task is complete○ Task - Task complete notification sent when a task is complete. The Notification Profile determines

the recipients. This is a scheduled batch notification.● A task is nearly due

○ Task - Pending notification sent when a task is almost due. The Notification Profile determines the recipients.For required updates to supplier profile questionnaire information, the supplier also receives a notification. (These notifications are applicable only to sites using SAP Ariba Supplier Information and Performance Management (classic functionality), which use supplier workspaces to manage suppliers.)

● A task is overdue○ Task - Overdue notification sent when tasks are overdue. The Notification Profile determines the

recipients. This is a scheduled batch notification.● A task is withdrawn

Approval tasks are the only type of tasks that task owners can withdraw.○ Task - Sent to the approvers if a task is withdrawn.

● A user is added to or removed from an approval flow○ Task - Sent to the task owner when an approver is added to an existing approval flow.○ Task - Sent to the offline email approvers when they are added to an approval flow.○ Task - Sent to the task owner when an approver is removed from an approval flow.

● Comments are added to a taskSAP Ariba solutions send the following notifications only if the option Notifications on comment is set to Yes in the Advanced Task Details for a task. For more information, see the Configuring Advanced Task Details topic in the Product Documentation For Users section of the Learning Center.○ Task - Sent to the task owner when a task participant adds a comment to the task.○ Task - Sent to the email reviewer when the task owner adds a comment on the reviewer's behalf.

Notifications related to modular supplier management questionnaires

SAP Ariba sends notifications for various activities related to modular supplier management questionnaires.

● Action needed: Provide additional information to <buyer name>Sent to the supplier contact when an approver has denied the questionnaire but allowed the supplier to resubmit answers, and includes any comments the approver made to explain the denial.

● Approved: <questionnaire title> submitted to <buyer name>Sent to the supplier contact when the questionnaire is finally approved.

● Declined: <questionnaire title> submitted to <buyer name>Sent to the supplier contact when the questionnaire is finally denied.

● Your <questionnaire title> with <buyer name> expires on <project expiration date>Sent to the supplier contact before the questionnaire's expiration date. This notification is not automatic. It is only sent if a template creator in your site has specified that the questionnaire expires in the template survey



document's Supplier Management rules. The template creator also specifies the expiration schedule and the amount of time before the expiration date this notification is sent there.

● Your <questionnaire title> with <buyer name> has expiredSent to the supplier contact when the questionnaire's expiration date has elapsed and the supplier has not edited and resubmitted the questionnaire. This notification is not automatic. It is only sent if a template creator in your site has specified that the questionnaire expires in the questionnaire template survey document's Supplier Management rules. The template creator also specifies the expiration schedule there.

● <questionnaire project name> of <supplier name> expires on <expiration date>Sent to the internal user who sent the questionnaire before the questionnaire's expiration date. This notification is only sent if a template creator in your site has specified that the questionnaire expires in the template survey document's Supplier Management rules. The template creator also specifies the expiration schedule and the amount of time before the expiration date this notification is sent, and can specify that this notification also be sent to the primary supplier manager and/or members of the Project Owner group as well as the user who sent the questionnaire.

● <questionnaire project name> of <supplier name> has expiredSent to internal users when the questionnaire's expiration date has elapsed and the supplier has not edited and resubmitted the questionnaire. This notification is only sent if a template creator in your site has specified that the questionnaire expires and set an expiration schedule in the template survey document's Supplier Management rules. The template creator can specify that this notification also be sent to the primary supplier manager and/or members of the Project Owner group as well as the user who sent the questionnaire.

● Action needed: <task title>Sent to internal users when the approval node to which they are assigned becomes active in the approval flow.

NoteThe questionnaire invitation notification and any reminders related to its due date that are sent to the supplier contact, if enabled, are defined in the customized messages in the questionnaire survey document.

Notifications related to control-based engagement risk assessment projects

In addition to general project and task notifications, SAP Ariba sends notifications for some activities that are specific to control-based engagement risk assessment projects..

● Action needed: provide additional information to <buyer name>Sent to the owners of To Do tasks on supplemental engagement questionnaires in control-based engagement risk assessment projects when a questionnaire approver has requested more information during approval. The notification includes approver comments.

● Archived: <engagement project name>Sent to members of the Project Owner group when an engagement risk assessment project is archived. This notification is used in both simple and advanced archiving workflows.

● Action needed: archive <engagement project name>Sent to members of the Project Owner group when approvers have approved a request to archive an engagement risk assessment project in the advanced archiving workflow and it is ready to archive.

● Denied: request to archive <engagement project name>Sent to members of the Project Owner group when approvers have denied a request to archive an engagement risk assessment project in the advanced archiving workflow.

● Canceled: request to archive <engagement project name>


Sent to members of the Project Owner group when a project owner or Supplier Risk Engagement Governance Analyst has canceled the archiving of an engagement risk assessment project.

How to customize the questionnaire invitations sent to suppliers

You customize the questionnaire invitations sent to suppliers by editing the email notifications associated with the questionnaire survey document.

Prerequisites

You must be a member of the Customer Administrator or Event Administrator group to customize the questionnaire invitations sent to suppliers.

To include your company's logo in registration questionnaire invitations, the parameter Application.EnableCustomEmailLogoAndFooter must be enabled in your site, and one of your company's customer administrators must upload the logo on the Custom Email tab of the Customization ManagerBranding Settings task in Ariba Administrator. See the Common data import and administration guide for Rozwiązania SAP Ariba Strategic Sourcing and Supplier Management for details.

Context

Supplier management questionnaires share some underlying infrastructure with sourcing events, and you customize their supplier invitations in the Event Manager Messaging Templates task in Ariba Administrator. Although you can also customize invitations in individual questionnaire template survey documents, SAP Ariba recommends using the Messaging Templates task. Depending on your company's solution and the types of supplier management projects available in your site, you can use this task to customize supplier invitations for registration, qualification, and modular supplier management questionnaires.

Suppliers answer questionnaires by logging into Ariba Network for Suppliers, filling out the questionnaire, and submitting their answers. If the supplier does not already have an Ariba Network for Suppliers account, they must create one at this time.

The external (supplier-facing) questionnaires in supplier management projects use the following two email notification templates for supplier invitations:

● Publish Event; Invitation for participants, which is sent to suppliers who have already registered with Ariba Network for Suppliers.t

● Invitation for participants who have not used Ariba before, which is sent to suppliers who have not registered with Ariba Network for Suppliers, and includes information about the registration requirement.

In sites created after the SAP Ariba April 2018 release, registration invitation templates automatically include a SUPPLIER_REG_DEADLINE token that displays the deadline by which the supplier must respond to the invitation before the temporary password generated by the invitation expires; a RECIPIENT_NAME token that specifies the name of the invited supplier contact; and a PASSWORD_URL token that automatically renders as a link that the



invited contact can click to create a new Ariba Network for Suppliers account. The deadline displayed by SUPPLIER_REG_DEADLINE is defined by the Application.Password.NewPasswordTokenLifeSpan site configuration parameter. The SUPPLIER_REG_DEADLINE and RECIPIENT_NAME tokens are not available in sites created before the SAP Ariba April 2018 release.

TipMake sure that when you complete your customized invitations, the invitation for existing suppliers still includes the [SITE_URL] email token, which is automatically rendered as a link that the invited supplier contact can click to log into their existing Ariba Network for Suppliers account, and that the invitation for new suppliers still includes the [PASSWORD_URL] email token, which is automatically rendered as a link that the invited supplier contact can click to create a new Ariba Network for Suppliers account. The supplier contact must use one of these links to access your questionnaire.

Procedure

1. On the dashboard, choose Manage Administration .

2. Choose Event Manager Messaging Templates .3. Choose one of the two supplier invitation templates and click Edit.4. Make changes or additions to the text and add formatting to meet your needs.5. (Optional) Add or remove email template tokens. To remove email template tokens, delete the text and the

square brackets.6. (Optional) Add any translations.7. Click Save.

Related Information

How to add email template tokens [page 227]How to add translated text to email notification templates [page 229]

How to add email template tokens

Email template tokens are placeholders for information provided by the system when the email generated from the template is sent. Information can come from project field values, information about a task or phase, or be generated by the system for the email message itself, such as the recipient’s email address.


Prerequisites

You must be a member of one of the following groups:

● Project Email Templates Administrator● Contract Administrator● Project Administrator● Customer Administrator● A group with the Project Email Templates Administrator role

You must be a member of the Template Creator or Customer Administrator group to edit email templates in survey documents in project templates.

You must be the project owner to edit email templates in survey documents in individual projects, and the event owner to edit email templates in individual sourcing events.

Context

Email template tokens are delimited by square brackets ([ ]). For example, the text [Workspace.Title] is an email template token that the system replaces with the workspace or project title (name) when it sends an email message generated from the email template.


Procedure

1. Open the appropriate email template for editing.2. (Optional) To add the email token to a specific location in the email contents or subject line, add an empty set

of square brackets ([ ]) to the appropriate location.

When you add an email template token in the next step, the system inserts the email template token in the first set of empty square brackets. If there are no empty square brackets, the system places the email template token at the end of the Content or Subject field; you can cut and paste the token to another area after it is inserted.


○ To add an email template token to the subject line, to the right of the Subject field, click Add Email Template Token.

○ To add an email template token to the body of the email, below the Content field, click Add Email Template Token.



The system opens a Choose Content Field or Choose a Subject Field window with folders that contain the email template tokens available for the specific message and area (subject or content).

4. Perform the following actions:

○ Click the expand arrows next to a folder name to display the email template tokens.○ Click the cue tip next to the email template token to display more information.○ Click Select to add the selected email template token.

5. Click OK.

How to add translated text to email notification templates

The translated text added to email notification templates is linked to locales and the system substitutes the translated text when sending email notifications to users in the given locale.

Prerequisites

You must be a member of the Translator or Customer Administrator groups to add translated text to email templates

Procedure

1. Open the appropriate email template for editing.2. Perform one of the following actions:

○ To provide translations of the email subject, below the Subject field, click Translations.○ To provide translations for the email body content, below the Content field, click Translations.

The system opens a page that contains translation fields for each locale available in SAP Ariba solutions.3. Enter your translated text in the field that corresponds to its language..4. Click OK.

Setting up legacy risk assessment projects

NoteThe information in this topic applies to legacy engagement risk assessment projects. While SAP Ariba Supplier Risk continues to support legacy engagement risk assessment projects until further notice, no future enhancements are planned for them. Control-based engagement risk assessment projects include important improvements and will continue to add features. Customers with subscription order forms dated after the SAP


Ariba Supplier Risk October 2018 release who want to use supplier engagement risk assessments must use control-based engagement risk assessment projects.

The legacy risk assessment process [page 230]

Workflow for setting up legacy risk assessment projects [page 231]

Prerequisites for setting up legacy risk assessment projects [page 232]

Working with the legacy risk assessment project template [page 233]

Creating legacy engagement requests and engagement-level risk assessments [page 244]

The legacy risk assessment processRisk assessment projects provide a process for evaluating the risk or desirability of engaging with a supplier or other third-party and establishing the potential risk of that engagement. Your company can then determine whether to undertake the engagement, and if so, whether or not the engagement requires monitoring and what degree of monitoring might be necessary.


Some engagements might not need a risk assessment; others, such as consulting engagements that involve access to confidential information or company networks or facilities, might require stringent risk assessments.

A risk assessment project typically includes four stages:

1. Requesting the engagement and inherent risk assessment: A user in your company who wants to engage with a supplier or other third party requests a new engagement risk assessment by creating an engagement request and filling out the engagement request form. This form typically asks detailed initial questions about the engagement's inherent risk factors both in general and in different risk domains. Depending on its setup, it might or might not ask the requester to specify the supplier or third-party at this stage. Approvers review the engagement request, particularly information related to inherent risk, and approve or deny it.

2. Sending detailed engagement-level risk assessments: Once the engagement request is approved, the governance expert assigned to review the inherent engagement risk sends risk assessments to internal stakeholders and (if applicable) suppliers or other third parties. Before doing so, the governance expert can either specify the engagement's supplier for the first time, or change the supplier specified in the request to a different supplier, depending on the answers in the request. Typically, some of the risk assessments are specific to the inherent risk domains identified in the request, such as IT, finance, or governance. The recipients fill out and submit responses to these risk assessments.

3. Responding to risk assessments: Recipients are notified of the assessments they need to fill out. Internal stakeholders fill out their risk assessments on the engagement page in SAP Ariba Supplier Risk. Supplier contacts fill out risk assessments on Ariba Network for Suppliers.

4. Evaluating and approving risk assessments: Depending on your company's assessments are set up, a residual risk score might be calculated for each assessment based on submitted answers. Approvers evaluate



the answers and the score and approve or deny the risk assessments. If an approver denies at least one of its risk assessments, the engagement is denied. If approvers approve all of the risk assessments, the requester can engage with the supplier or third party to fulfill the engagement's purpose.

A governance expert can send out all of the risk assessments for an engagement at the same time; therefore, no matter how many risk domains are affected by the engagement, or how many experts are specified as assessment recipients, all applicable risk assessments start at the same time. If it becomes apparent that additional assessments are needed, a governance expert can then send them out as required at a later time.

In some cases, an engagement might not require engagement-level risk assessments. If your site is configured to automatically skip assessments for engagements with no recommended assessments, those engagement automatically moves from the approved request to Completed: Assessments skipped automatically status. The governance expert assigned to send out risk assessments can also choose to skip the engagement-level risk assessment process entirely and move the engagement directly from the approved request to Completed: Assessments skipped manually status based on their judgment of the engagement's requirements.

At any time between when the request is submitted and the engagement is completed or canceled, the requester and governance experts can create issues to highlight potential problems or concerns with the engagement as a whole, and then track and resolve them. Requesters and governance experts can also create issues related to specific engagement-level risk assessments at any time between when the first assessments are sent and the engagement is completed. Each issue is a separate project with its own workflow and approvals [page 157] embedded within the supplier risk assessment project.

In solutions that include SAP Ariba Sourcing or SAP Ariba Contracts, the risk assessment project can be made a predecessor to a sourcing or contract project. With this setup, once the engagement is approved, sourcing or contract activities will start.

Your site's risk assessment project template defines:

● The form used for the engagement request and the risk assessments that are available, including their content, scoring, and whether the risk assessments are recommended based on either answers to specific questions about inherent risk in the request or the request's overall inherent risk score or rating. The content of the engagement request also determines whether the requester can (or is required to) specify the supplier at that stage.

● Who is responsible for approving the engagement request and each risk assessment.

Workflow for setting up legacy risk assessment projects


The following steps describe how to set up risk assessment projects in your site:

1. Make sure that SAP Ariba has set the parameters Application.ACM.PhaseAutoStart and Application.ACM.PhaseAutoComplete to Yes in your site and has run the MigrateSRIssueWorkspaceTask scheduled task to add the issue management project template to it.


2. Assign users to the appropriate user groups to grant them permission to work with risk assessment projects.3. Import the master data that will be used in your risk assessment process (for example, internal users,

commodities, regions, and departments) into your site using the data import tasks in Ariba Administrator.4. Import supplier contacts for your suppliers or third parties using the data import task in SM Administration.5. Set up the risk assessment project template:

○ Plan the process you want to implement.○ Create a new version of your site's default template [page 86].○ Edit or create survey documents [page 244] to set up the engagement request and engagement-level risk

assessments.○ Set up project groups and team members [page 192].○ Edit or add phases, To Do tasks, and approval tasks [page 240] to set up your risk assessment project

workflow.○ Edit the approval flows in the approval tasks [page 204] to include the correct stakeholders as approvers

for each survey document, or to use ad hoc approvers.6. Repeat these steps to set up the issue management project template [page 155].7. (Optional)Customize project and task notifications for internal stakeholders [page 219] and assessment

invitations for external suppliers [page 226].

Prerequisites for setting up legacy risk assessment projects

Setting up the prerequisites for risk assessment projects in your site ensures that they function properly.


When you set up risk assessment projects in your site, keep in mind the following prerequisites:

● None of the supplier or third-party engagement risk assessment features, including the ability to create engagement requests, work until you have set up and published [page 86] the risk assessment project template in your site.

● Users must have the appropriate group memberships [page 9] to configure, create, and manage risk assessment projects.

● Your risk assessment project setup might require the following types of data imports:○ Internal users, which a customer administrator can import as master data or create manually in Ariba

Administrator.○ Master data such as commodities, regions, or departments, if your risk assessment project template uses

any of those types of data as answers for any of its survey questions.○ Supplier contact data [page 31], if your risk assessment project templates includes any supplier-facing risk

assessments. External assessments can only be sent to suppliers that have at least one supplier contact associated with them. Users can also manually add supplier contacts in a supplier's 360° profile.



For more information about importing supplier-related data, see . For more information about importing site-wide master data and creating internal users in Ariba Administrator, see the Common data import and administration guide for Rozwiązania SAP Ariba Strategic Sourcing and Supplier Management.

● Make sure that the parameters Application.ACM.PhaseAutoStart and Application.ACM.PhaseAutoComplete are set to Yes, the default setting, in your site. SAP Ariba Customer Support sets those parameters for you, and they should have the default setting unless you previously requested a change. For details on these configuration parameters, see Site configuration parameters for engagement risk assessment projects [page 266].

● The issue management project template must be present in your site's Templates set up and published [page 86] in your site. The issue management project template is not present after initial site deployment; SAP Ariba Customer Support must run the MigrateSRIssueWorkspaceTask scheduled task to add it to your site.

NotePrevious functionality for managing risk assessment issues without issue management projects is no longer supported. To use issues in engagement risk assessment projects, the issue management project template must be published in your site.

Related Information

Legacy risk assessment project limitations [page 239]

Working with the legacy risk assessment project template


Understanding the legacy risk assessment project template [page 234]

Do's and don'ts for legacy risk assessment project templates [page 235]

Best practices and helpful hints for the legacy risk assessment project template [page 237]

Legacy risk assessment project limitations [page 239]

Setting up the legacy risk assessment project workflow [page 240]


Understanding the legacy risk assessment project template

SAP Ariba Supplier Risk uses an SAP Ariba project template with some special characteristics to define the risk assessment process.


There is only one risk assessment template in a site, the Engagement Risk Assessment Project Template. This template defines all risk assessment projects in the site. Template upgrade for these projects is not supported, so when you edit a template, only projects created after that new template version is published reflect those changes. It is important to define your entire risk assessment process carefully during the initial template implementation so that you only need to make minor adjustments after users in your site start creating projects from it.

Risk assessment projects are centered around the following elements:

● Forms and questionnaires: the risk assessment process is initiated by an engagement request, which solicits information about the inherent risks of engaging with a supplier or third-party and starts the evaluation process. Therefore, the risk assessment template project includes a default survey document, which forms the basis of the engagement request form. You can add other survey documents to the template to create additional engagement-level risk assessment questionnaires for suppliers and internal stakeholders.

● Grading and risk score calculation: you can specify target grades, pre-grades, and weights for questions in template survey documents. Risk assessment projects use these grades and weights to calculate residual risk scores for engagement-level risk assessment questionnaires.

● To Do and approval tasks: the risk assessment project template includes a default approval task on the default engagement request survey document. You can add approval tasks to additional survey documents, as well as To Do tasks, and organize them into phases to define the order in which project questionnaires are sent, evaluated, and approved. You define approval flows in approval tasks, and you can add stakeholders to approval flows based on project conditions.

● Project teams: you can use team member rules to add specific users to project groups based on certain conditions, and add project groups to approval flows for project survey documents.

The risk assessment project template functions in much the same way as project templates in other SAP Ariba solutions: it has documents, tasks, project teams, and so forth. However, the way users experience projects created from this template is very different.

Most users who participate in risk assessment projects do not see the classic project interface with its tabs for documents, tasks, team, and so forth. Instead, they work in individual supplier 360° views and on the Supplier Risk dashboard, where task owners send engagement-level risk assessments to various stakeholders, review answers, and complete tasks. Project owners do not manage the project's team, upload additional documents, or perform other activities associated with the classic project interface in other types of SAP Ariba projects.

Members of the Supplier Risk Engagement Governance Analyst do see an Advanced View link on the engagement page, which allows them to access the classic project interface.



CautionBecause risk assessment projects follow a specialized workflow, and users interact with them through a specialized user interface, there are specific project elements that risk assessment project templates do and don't support. It is important to follow the guidelines [page 235] and best practices [page 237] for these templates when setting them up.

For a complete description of SAP Ariba project features and functionality, see the Project template guide (for information specific to project templates) and Managing projects, teams, documents, and tasks (for information that is general to both projects and their templates). Keep in mind that this information is geared towards general SAP Ariba projects and that risk assessment projects support a very specific and limited set of that functionality [page 235].

Do's and don'ts for legacy risk assessment project templates

Risk assessment projects follow a specialized workflow, and users interact with them through a specialized user interface. There are specific SAP Ariba project elements that risk assessment project templates do and don't support.


Documents

For template documents, do:

● Use the default survey document deployed with the project template to create the engagement request.● Add an additional survey document for each engagement-level risk assessment questionnaire you plan to use.

Don't:

● Add any other type of document to the template besides surveys. You can display supporting documents to users within engagement requests and risk assessments by adding attachment content to project survey documents.

● Add empty survey documents to the template. Each template survey document must contain at least one piece of content.

● Place those survey documents in folders. All of the template's survey documents must be added directly to the top level of the Documents tab. Risk assessment projects do not detect or use survey documents in folders.

● Apply conditions to template survey documents to attempt to show or hide them based on circumstances. Conditions on risk assessment project template survey documents are not supported. Within the survey


documents themselves, however, you can use visibility conditions to show or hide pieces of content based on answers to questions.

● Publish the survey documents in the template. Instead, simply publish the new template version to activate your changes to the template's documents.

Phases and tasks

The risk assessment project template requires a very specific configuration of phases and tasks [page 240] to support its workflow. For template phases and tasks, do:

● Create four phases, one for each stage of the risk assessment process.● Add an associated To Do task for each engagement-level risk assessment survey document (but not the

engagement request survey document). These To Do tasks ensure that external assessments are sent to suppliers and that internal recipients can edit internal assessments to submit answers.

● Make sure that all template survey documents have associated approval tasks. (If you want to allow governance experts to specify ad hoc approvers for individual survey documentss in individual projects, rather than using a template-defined approval flow, you can create an empty approval flow [page 205] to do so. However, the task itself must be present.)

● Make sure that the approval task on the engagement request survey document is the first task to trigger in the entire project. This positioning is what defines that survey as the form that users fill out after choosing

Create Engagement Request on the dashboard, and defines the other template survey documents as additional internal or external risk assessments. The template survey document with the first approval task is always treated as the engagement request. If you want to move straight from the request to the engagement-level risk assessment stage without a manual approval, set the task to auto-approve, but maintain its position.

Don't:

● Create any additional phases besides the four phases that define the engagement risk assessment process.● Make any of those four phases recurring. Engagement risk assessment projects do not support recurring

phases.● Add any other types of tasks to the template besides To Do and approval tasks. Engagement risk assessment

projects do not support any other task types.● Add a To Do task to the engagement request survey document. To Do tasks for engagement requests are not

supported.● Add more than one To Do task to the risk assessment questionnaire survey documents.● Make any of the four phases that define the engagement risk assessment project predecessors of another

phase, or of any of the project's To Do or approval tasks. Tasks in these projects can have other tasks as predecessors, but not phases.

Related Information

Best practices and helpful hints for the legacy risk assessment project template [page 237]Legacy risk assessment project limitations [page 239]Understanding the legacy risk assessment project template [page 234]



Using visibility conditions to show or hide content based on answers [page 183]

Best practices and helpful hints for the legacy risk assessment project template


The following are best practices and helpful hints for the risk assessment project template.

Documents

● Create separate engagement-level risk assessment questionnaires to ask detailed questions about specific risk levels and domains. If you set up the engagement request with questions that solicit initial information about inherent risk in those domains and at those levels, you can make the detailed risk assessments recommended [page 258] based on answers to those questions.

● Internal users cannot edit supplier-facing risk assessment questionnaires. Only add internal-facing (visible to participants) content to supplier-facing assessments if you want to passively display it to internal users when they review supplier answers.

● By default, risk assessment projects created from the template are all named "<Name of engagement request survey document> by <name of requester>." To assign a specific name to each individual engagement request. create a question in the request that asks for the engagement name, with answer type Text (single line) or Text (single line limited), and enter project.Title in the Supplier Field Mapping field. With this configuration, the name that the requester specifies as an answer to this name question becomes the name of the engagement request and the risk assessment project. SAP Ariba strongly recommends this step because it makes it easier for users to differentiate between engagement requests created by the same requester on sight.

● You do not have to add a question for the supplier to the engagement request. The governance expert who sends out the engagement-level risk assessments after the request is approved can either specify the supplier at that time, or change the supplier specified in the request to a different supplier. Risk assessment projects do not need to be associated with a supplier at all. However, if you do ask for the supplier in the request, use the Supplier answer type and enter matrix.Suppliers in the Supplier Field Mapping field. Users answer this question by choosing a supplier or third party from your supplier database, and this answer configuration connects the risk assessment project to the supplier and its contacts.

● If you need to create project-level conditions based on an engagement's commodity, region, or department/line of business (for example, so that you can create a conditional approval flow), make sure that you add questions about these specific types of data to the engagement request using the following settings:○ For a commodity question, use the Commodity answer type and enter matrix.Categories in the

Supplier Field Mapping field.


○ For a region question, use the Region answer type and enter matrix.Regions in the Supplier Field Mapping field.

○ For a department question, use the Department answer type and enter matrix.Departments in the Supplier Field Mapping field.

In addition, make these questions required.A risk assessment project is created from the template when a user submits the engagement request. This configuration serves two purposes. First, it ensures that those questions are tied to the commodity, region, and department master data in your site, and that users choose answers from that data. Second, it ensures that the questions are connected to the Commodity, Region, and Department attributes in the risk assessment project that is created when the engagement request is submitted. You can only create project-level conditions based on project attributes, and with this configuration, the answers in the engagement request will trigger those project-level conditions.

● When a user is filling out the engagement request or assessment questionnaire, every time they provide an answer that triggers a visibility condition, the underlying survey document must retrieve the newly visible content from the server. Be aware that your use of visibility conditions can affect request or assessment performance, and make sure that you use them in situations where they are genuinely helpful or necessary.For example, if you simply want to add a text question after another question to ask a respondent to explain or expand on a specific answer, you do not necessarily need to hide that follow-up question with a visibility condition. You can give the question a title that includes the specific answer ("If you answered No, please explain why"), and respondents who provided a different answer can skip the question. On the other hand, if you have a question or a set of questions that only applies to a specific region, commodity, supplier certification, or other answer, visibility conditions are a good way of hiding irrelevant content from respondents who don't provide that answer. They are also useful if you have multiple different follow-up questions for different answers to the same question.

● If you want a question in an engagement-level risk assessment to contribute to the assessment's risk score, make sure that it has either a defined or quantifiable answer so that you can pre-grade it [page 247]. Examples of questions with defined answers include multiple choice and Yes/No questions. Examples of questions with quantifiable answers include Whole Number, Money, and Date.

● Users can run reports on engagement risk assessments. Just like project conditions, the filters they can use to filter report results are based on questions with master data answer types that are mapped to matrix fields in the engagement request. The four master data answer types that can be used as report filters are Commodity, Region, Department, and User. Map those questions to matrix.Categories, matrix.Regions, matrix.Departments, and matrix.Users respectively. For example, if you have a question in the engagement request that asks about the department involved with the engagement, and you use the Department answer type and map the question to matrix.Departments, users who run reports on engagements in your site see department information in the report and filter its data by the departments involved in the engagements.

Tasks and phases

● Each survey document in the template requires an approval task. If you do not want to require approval, you can set it to auto-approve. If you want to allow a governance expert to specify the approvers, leave the approval flow empty [page 205].

● You can add multiple approval tasks, chained together as predecessors, to the engagement request, and apply conditions to those tasks, as long as at least one approval task active in every possible conditional scenario. However, setting up conditional approval rules within a single approval task can be more efficient and less error-prone.



Team members

The user who creates the engagement request is always the project owner of the risk assessment project. To ensure that the user who created the request does not have permission to approve any aspects of the risk assessment project, make sure to set up approval flows so that the Project Owner group is not in them.

Related Information

Understanding the legacy risk assessment project template [page 234]Do's and don'ts for legacy risk assessment project templates [page 235]Legacy risk assessment project limitations [page 239]Using approval rule conditions [page 213]How to create or edit approval rules [page 206]

Legacy risk assessment project limitations


Risk assessment projects have the following limitations:

● They do not currently support template upgrade, meaning that once a project is created from a published template version, any updates you make to the template in subsequent versions are not applied to it. Updates are only applied to new projects created after the updated template version is published.

● They only support the use of survey documents, and of To Do and approval tasks. They do not support any other document or task types.

● Unlike other SAP Ariba project types, at this time, approvers in risk assessment projects cannot edit approval tasks with defined approval flows to add additional approvers. Risk assessment projects do support allowing users in the Supplier Risk Engagement Governance Analyst group to add approvers if the task has no approval flow defined in the project template.

Related Information

Do's and don'ts for legacy risk assessment project templates [page 235]Best practices and helpful hints for the legacy risk assessment project template [page 237]


Setting up the legacy risk assessment project workflow

The risk assessment project workflow is defined by a specific pattern of phases and tasks on the Tasks tab of the project template.


To set up the risk assessment project workflow, you create four separate phases and add tasks to them, using special settings that define their position in the workflow. They are:

● Engagement Request [page 240]● Send Assessments [page 241]● Awaiting for Assessments [page 242]● Assessments Approval [page 244]

NoteThe risk assessment project template only supports the use of phases and approval and To Do tasks in this specific configuration. It is important to follow both the do's and don'ts [page 235] and best practices [page 237] for the risk assessment project template while setting up the phases and tasks that define its workflow.

For detailed information working with phases and approval and To Do tasks, see the Project Template Guide and Managing projects, teams, documents, and tasks.

Phase 1: Engagement Request

Create the first phase, checking the Engagement Request option.

Move the default approval task on the engagement request survey document into this phase and set up the approval flow. This approval task must be the first approval task in the entire risk assessment project workflow; that position associates its survey document with the engagement request, which users create using the Create menu on the dashboard.

Do not add any To Do tasks to this phase.

If your site is configured to automatically skip assessments for engagements with no recommended assessments, when this condition is met, none of the tasks in phases 2, 3, or 4 start and the engagement moves automatically to Completed: Assessments skipped automatically status.



Phase 2: Send Assessments

Create the second phase, checking the Send Assessments option. Do not specify phase 1 as the predecessor for this phase; you define predecessors at the task level. This phase will start automatically when the engagement request approval task in phase 1 is completed.

Add a To Do task to this phase, name it Send Assessments, and specify the following settings for it:

For this setting... Specify...

Owner The default setting, Project Owner. This setting has no effect. Regardless of the task owner you specify, the Supplier Risk Engagement Governance Analyst user group is always the owner of this task. Members of this group are the only users who have permission to send engagement-level risk assessments.

Title A brief, descriptive title that will tell the task owner what starting the task will do; for example, Send Assessment Questionnaires. This title is displayed on the engagement page where the task owner starts the task, as well as in notifi-cations.

Observers Task observers, who can perform the same functions as task owners but do not see the tasks in the My Tasks area. This setting has no effect.

Due Date A due date for sending assessments. This due date is the number of days after phase 2 (the parent phase) starts, and phase 2 starts when the engagement request approval task in phase 1 is completed. In the Notifications area of the task page, you can set up the task notification profile to issue reminders as the due date approaches and after it has elapsed. You do not have to set a due date for this task if you do not want to enforce a specific time line for sending out assessments.

Is Milestone No. The supplier risk engagement page does not indicate which tasks are milestones, so this setting is unnecessary.

Required Yes. The supplier risk engagement process cannot move past the request stage until the task owner completes this task.

Rank Use default values for this setting. It has no effect on this task's behavior.

Allow auto complete No. A user must always manually choose which assessments to send and specify recipients, or manually skip sending assessments, so do not set this task to auto-complete.



Predecessors The approval task for the engagement request in phase 1. This setting is required.

Start When Dependencies Complete Leave this setting unchecked. It does not apply to To Do tasks in risk assessment projects.

Conditions Do not apply project-level conditions to this task.

Field Settings Ignore this setting. It does not apply to To Do tasks in risk assessment projects.

CautionYou must name this task Send Assessments for it to work properly. It will not work properly if you vary the name of the task at all.

After the final approval of the engagement request, this task starts. A member of the Supplier Risk Engagement Governance Analyst user group views the engagement and sees this task for sending engagement-level risk assessments with a Start button to its right. Clicking the Start button opens the page where they either choose which assessments to send and specify recipients, or choose to skip sending assessments. Clicking Send assessments or Skip assessments completes this task. If the governance expert manually skips sending assessments in this phase, none of the tasks in phase 3 or phase 4 start or can be completed and the risk assessment project moves directly to Completed: assessments skipped manually status.

Phase 3: Awaiting for Assessments

Create the third phase, checking the Awaiting for Assessments option. Do not specify phase 2 as the predecessor for this phase; you define predecessors at the task level. This phase will start automatically when the To Do task for sending assessments in phase 2 is completed by the governance expert choosing to send the engagement-level risk assessments.

Create a To Do task for each assessment survey document and, on the Tasks tab, drag and drop it into this phase. Specify the following settings for them:


Owner The default setting, Project Owner. This setting has no effect. For To Do tasks in this phase, ownership is automatically assigned to the recipient of the associated internal assessment survey document. For external (supplier-facing) assessment survey documents, the associated To Do task does not have an explicit owner.




Title For To Do tasks on internal assessment survey documents, a brief, descriptive title that will tell the task owner what starting the task will do. For example, if the To Do task is on a survey named IT Security Assessment Assessment, you might name the task Complete IT Security Assessment . This title is displayed on the engagement page where the owner starts the task, as well as in notifica-tions.

To Do tasks on external (supplier-facing) assessment survey documents are not displayed on the engagement page. However, including the name of the associated survey document in the task name is helpful in tracking the tasks in the template.

Observers Task observers, who can perform the same functions as task owners but do not see the tasks in the My Tasks area. This setting has no effect.

Due Date For To Do tasks on internal assessment survey documents, a due date for completing the questionnaire. This due date is the number of days after phase 3 (the parent phase) starts, and phase 3 starts when a user sends the assessment, completing the To Do task in phase 2. In the Notifications area of the task page, you can set up the task notification profile to issue reminders as the due date approaches and after it has elapsed. You do not have to set a due date for this task if you do not want to enforce a specific timeline for completing the questionnaire.

For To Do tasks on external (supplier-facing) assessments, this setting has no effect.

Is Milestone No. The engagement page does not indicate which tasks are milestones, so this setting is unnecessary.

Required Yes. The risk assessment project cannot move past this stage until all assessment recipients submit answers.

Rank Use default values for this setting. It has no effect on this task's behavior.

Allow auto complete No. Recipients can only fill out and submit assessments if the task requires manual completion.

Repeat for Each Document Draft No. Assessment survey documents do not have multiple drafts.

Predecessors The To Do task for sending assessments in phase 2. This setting is required.



Start When Dependencies Complete Leave this setting unchecked. It does not apply to To Do tasks in risk assessment projects.

Conditions Do not apply project-level conditions to this task.

Field Settings Ignore this setting. It does not apply to To Do tasks in risk assessment projects.

After a user sends the selected risk assessments, completing the To Do task in phase 2, the To Do tasks for the selected assessments only in this phase automatically start.

For external (supplier-facing) assessments, the supplier contact logs into Ariba Network for Suppliers and submits answers. Submitting the assessment automatically completes the associated To Do task.

For internal assessments, the recipient automatically becomes the owner of the associated To Do tasks, and receives all notifications for it. The recipient views the engagement and sees this task with a Start button to its right. Clicking the Start button opens the assessment in edit mode. Submitting the assessment automatically completes the associated To Do task.

Phase 4: Assessments Approval

Create the fourth phase, checking the Assessments Approval option. Do not need to specify phase 3 as the predecessor for this phase; you define predecessors at the task level.

Create an approval task for each engagement-level risk assessment survey document. Make the To Do task on the survey document in phase 3 the predecessor of the approval task on the same document and set up the approval flow. On the Tasks tab, drag and drop these approval tasks into this phase.

This phase starts automatically when the first predecessor To Do task on a survey document in phase 3 is completed, starting the approval task on the same survey document in this phase. The phase closes when the final approval task for the assessments sent in phase 2 is completed.

Related Information

Topics about setting up supplier form and questionnaire approvals [page 204]

Creating legacy engagement requests and engagement-level risk assessments

Risk assessment projects use template survey documents of type form or questionnaire for the engagement request and subsequent engagement-level risk assessments.




Using the legacy engagement request and engagement-level risk assessments to identify risk [page 245]

Topics about adding scoring to legacy engagement requests and risk assessments [page 246]

How to recommend a legacy engagement-level risk assessment based on an answer in the legacy engagement request [page 258]

How to recommend a legacy engagement-level risk assessment based on the legacy engagement request's inherent risk rating [page 260]

Using the legacy engagement request and engagement-level risk assessments to identify risk

Risk assessment projects use template survey documents of type form or questionnaire for the engagement request and subsequent engagement-level risk assessments. These documents are designed to work together to identify initial inherent risk factors and then solicit more detailed information.


A user who wants to engage with a supplier or third party fills out and submits an engagement request. In the typical risk assessment project workflow, the engagement request solicits two types of information:

● Basic information about the engagement, such as the commodity or service and region of the engagement, any supplier or third party's name, estimated cost, and the engagement's purpose.

● The inherent risk of the engagement. Inherent risk is any characteristic of the engagement that might expose your company to adverse effects. Examples of inherent risk factors include the engagement's potential impact on critical business functions and whether or not it requires supplier or third-party access to confidential company information, physical facilities, or computer networks.

Inherent risk can have different levels and typically falls into different domains: IT, corporate governance, legal, finance, and so on.

Engagement-level risk assessments follow up on the answers in the engagement request that indicate inherent risk. The risk assessments solicit detailed information about those inherent risks. You can make assessments recommended [page 258] based on answers to questions in the request. In the risk assessment project workflow,


engagement-level risk assessments are designed to be targeted to specific domains and levels of risk. Therefore, while the risk assessment project template can have only one survey document for the engagement request, you can create any number of survey documents for the subsequent risk assessments, each one designed to follow up on an answer in the request that exposes an inherent risk in a different domain or level. You can then route their approvals to the stakeholders who are in the best position to analyze the specific risk factors in each risk assessment's domain.

Related Information

Topics about setting up supplier form and questionnaire approvals [page 204]

Topics about adding scoring to legacy engagement requests and risk assessments


Adding scoring to legacy engagement requests and risk assessments [page 246]

Pre-grades for legacy engagement requests and engagement-level risk assessments [page 247]

Topics about adding percentage-based scoring to legacy engagement requests and engagement-level risk assessments [page 251]

How to add point-based scoring to legacy engagement requests and engagement-level risk assessments [page 257]

Adding scoring to legacy engagement requests and risk assessments

Risk assessment projects can include an inherent risk score for the engagement request and a residual risk score for each engagement-level risk assessment based on the respondent's answers. If a score does not meet the target grade, it is considered high risk.





You set up scoring for the engagement request and engagement-level risk assessments in their template survey documents. Scores are calculated using pre-grade values for each answer to a question and can be calculated as either a total number of points or a percentage [page 119].

Scoring in the engagement request can not only highlight an engagement's inherent risk, but also drive recommendations for assessments. You can set up these recommendations by either using the engagement request score itself or by defining risk ratings that correspond to a range of scores and then using the ratings to drive assessment recommendations. For details, see How to recommend a legacy engagement-level risk assessment based on the legacy engagement request's inherent risk rating [page 260].

Scoring in engagement-level risk assessments highlights the assessments that are considered high risk for approvers. Engagement-level risk assessments with a percentage score below their target percentages are flagged as high risk in the user interface and in reports. Since point-based scores do not have a target, they are not flagged as high risk.

Related Information

Weight and importance in percentage-based scoring in legacy engagement requests and engagement-level risk assessments [page 252]Pre-grades for legacy engagement requests and engagement-level risk assessments [page 247]Example: How weight, importance, and pre-grades work together in percentage-based risk questionnaire scoring in legacy engagement requests and engagement-level risk assessments [page 253]How to add percentage-based scoring to legacy engagement requests and engagement-level risk assessments [page 255]How to recommend a legacy engagement-level risk assessment based on the legacy engagement request's inherent risk rating [page 260]Point-based scoring versus percentage-based scoring [page 119]How to add point-based scoring to legacy engagement requests and engagement-level risk assessments [page 257]

Pre-grades for legacy engagement requests and engagement-level risk assessments

The pre-grade assigned to the respondent's answer specifies how many points the answer contributes to the overall score for the engagement request or engagement-level risk assessment.




Pre-grades allow you to assign grades to each possible answer to a question.

In percentage-based scoring, pre-grades are always percentage values between 0 and 100, with 0 being the lowest and 100 being the highest grade. They specify the percentage of the question's available scoring points each answer earns, and that question-level scoring point calculation rolls up into the overall calculation of the request or assessment's score based on the question's importance and its section's weight.

In point-based scoring, pre-grades are always point values, which add up to the request or assessment's score.

You can only pre-grade questions that have defined or quantifiable answers.

Questions with defined answers include multiple choice and Yes/No questions. For example, you cannot pre-grade a question of type Text (single line limited) with no defined acceptable answers because a respondent can answer with any possible text, and there is no way to quantify and grade such an answer. However, if you set the Acceptable Values option to List of Choices for the question, so that the respondent must choose from a set of pre-defined answers, you can pre-grade each answer. Yes/No questions automatically include two defined answers: yes and no.

Questions with quantifiable answers include Number, Money, and Date. Answers to these questions are numerical quantities that can be calculated or, in the case of dates, counted.

The following sections include information and considerations about pre-grading questions with specific answer types:

● Pre-grading Yes/No and multiple choice questions [page 248]● Pre-grading number and date questions [page 249]

Pre-grading Yes/No and multiple choice questions

Pre-graded Yes/No and multiple choice questions are graded based on the values you specify for each answer.

For example, you can assign a grade of 100% or 10 points to a Yes answer and 0% or 0 points to a No answer for a Yes/No question. A Yes answer then receives a grade of 100% or 10 points, while a No answer receives a grade of 0% or 0 points.

NoteFor multiple choice questions:

● If you set the Allow participants to specify other value? option to Yes, answers supplied be respondents cannot be pre-graded and therefore are not included in the scoring.

● If you set the Allow participants to select multiple values? option to Yes, the grade assigned to each answer the respondent selects is included in the scoring, and in percentage-based scoring might contribute to a total score of over 100%.



Pre-grading number and date questions

Since questions that require numerical answers can receive answers that span a range of values, you pre-grade them using three values: From (a minimum possible value), To (a maximum possible value), and Ideal (your preferred value). A calculation assigns a grade to the answer based on its position relative to those values, starting at 0% or 0 points for the From value, climbing to 100% or the maximum number of points for the Ideal value, and descending again to 0% or 0 points for the To value. Answers that fall outside the range you define are assigned a grade of 0% or 0 points.

When pre-grading number and answer questions, keep these points in mind:

● The Ideal value must be a number or date between the To and From values.● Negative numbers produce no special behavior. For example, assigning From = -5, Ideal = 1, and To = 10

results in a pre-grade of 0% or 0 points for -5, which ramps up to 100% or the maximum number of points for 1, and drops back down to 0% or 0 points at 10.

● It is important to determine the range of likely answers to your question as accurately as possible and set the To and From values accordingly. If the To and From values are set too closely together, then it increases the likelihood that more answers will fall outside of the range and be assigned a grade of 0% or 0 points. If they are set too far apart, a great many answers might qualify as nearer your ideal value than is accurate, rendering your results less useful.

You can assign numeric values to all, one, or a combination of From, To, and Ideal values, depending on the results you are trying to achieve:

Assign these values... If...

From, To, and Ideal You want to favor answers that are neither too great nor too small.

For example, suppose your company prefers to handle short engagements in-house on an ad-hoc basis because they are likely to be relatively straightforward, and also prefers that engagements longer than 20 weeks be handled in-house because they are likely to involve long-term planning and strategy initiatives. In this case, you might assign From = 0, To= 20, and Ideal = 10. These pre-grades favor engagements that are too involved to be handled in-house on an ad-hoc basis, but are not long enough to justify long-term investment.

With these pre-grades, an answer of 0 receives a grade of 0% or 0 points; an answer of 20 receives a grade of 0% or 0 points; and an answer of 10 receives a grade of 100% or the maximum number of points.



From and Ideal, but not To You do not want to place a restriction on the maximum value a respondent can provide to a question.

For example, suppose your company considers IT engagements that last less than 2 weeks marginal in terms of effort, and considers 6 weeks to be the minimum amount of time an engagement should last to justify the overhead. In this case, you might assign From = 2 Ideal=6, and no value to To.

With these pre-grades, answers of 2 weeks or less receive grades of 0% or 0 points, and answers of 6 weeks or more receive grades of 100% or the maximum number of points.

Ideal and To, but not From You do not want to place a restriction on the minimum value a respondent can provide to a question.

For example, suppose your company policy is that any engagement that is projected to last more than 20 weeks should be brought in-house, and that 6 weeks is the ideal length for an engagement. In this case, you might assign no value to From, Ideal=6, and To=20.

With these pre-grades, answers of 20 weeks or more receive a grade of 0% or 0 points, and answer of 6 weeks or less receive grades of 100% or the maximum number of points.

Only Ideal You want to solicit a single specific answer.

For example, suppose there is an IT certification with numbered types between 1 and 7 and your company considers a level-5 certification valuable but does not care about the other levels. In this case, you might assign Ideal=5 and no values to From and To.

With this pre-grade, an answer of 5 receives a grade of 100% and all other answers receive grades of 0% or 0 points.

Only From You have a specific maximum threshold value that you require after which a greater answer does not add value for you.

For example, suppose your company wants engagements to be a minimum of two weeks long, but does not set a limit on their length. In this case, you might assign From=2.

With this pre-grade, an answer of 1 receives a grade of 0% or 0 points, and answers of 2 or higher receive grades of 100% or the maximum number of points.




Only To You have a specific minimum threshold value that you require, after which a lesser answer does not add value.

For example, suppose your company considers engagements that might require more than $150,000 in potential additional costs problematic. In this case, you might assign To=150000.

With this pre-grade, an answer of 150000 or greater receives a grade of 0% or 0 points and any answer up to 150000 receives a grade of 100% or the maximum number of points.

Related Information

Weight and importance in percentage-based scoring in legacy engagement requests and engagement-level risk assessments [page 252]Example: How weight, importance, and pre-grades work together in percentage-based risk questionnaire scoring in legacy engagement requests and engagement-level risk assessments [page 253]How to add percentage-based scoring to legacy engagement requests and engagement-level risk assessments [page 255]How to add point-based scoring to legacy engagement requests and engagement-level risk assessments [page 257]

Topics about adding percentage-based scoring to legacy engagement requests and engagement-level risk assessments


Weight and importance in percentage-based scoring in legacy engagement requests and engagement-level risk assessments [page 252]

Example: How weight, importance, and pre-grades work together in percentage-based risk questionnaire scoring in legacy engagement requests and engagement-level risk assessments [page 253]

How to add percentage-based scoring to legacy engagement requests and engagement-level risk assessments [page 255]


Weight and importance in percentage-based scoring in legacy engagement requests and engagement-level risk assessments

Weight and importance are two different types of scoring points. Together, they are used to calculate the percentage-based scores for engagement requests and engagement-level risk assessments.


In risk assessment project template survey documents, percentage-based scoring uses weight and importance in scoring. Weight is the relative level of importance for a section of content. The total of the weights you assign to the sections in an assessment is the maximum number of scoring points available for all content in the assessment.

Importance is the relative level of importance for individual questions, and is always a number between 1-10, with 10 being the most important. If you assign an importance of 0 to a question, its answer is not used to calculate the assessment's score.

The Overall % field shows how individual question importance and section weight combine to contribute to the overall residual risk score of the assessment. The overall percentage for a question is calculated as follows:

Overall % = (importance points for question / total importance points for section) * overall % of section

TipThe values you assign as section weights can be any numbers, but using numbers that add up to a total of 100 available scoring points makes it easier to determine how your weight and importance settings contribute to the scoring. Since assessment residual risk scores are shown as a percentage of the maximum available points, using weight numbers that add up to 100 also make it easier to see how different section scores translate into the overall score.

Related Information

Pre-grades for legacy engagement requests and engagement-level risk assessments [page 247]Example: How weight, importance, and pre-grades work together in percentage-based risk questionnaire scoring in legacy engagement requests and engagement-level risk assessments [page 253]How to add percentage-based scoring to legacy engagement requests and engagement-level risk assessments [page 255]



Example: How weight, importance, and pre-grades work together in percentage-based risk questionnaire scoring in legacy engagement requests and engagement-level risk assessments

In percentage-based scoring, weight and importance combine to determine the total potential scoring points for each question and section in an engagement request or engagement-level risk assessment. Pre-grades define the percentage of the total scoring points each answer earns in the questionnaire.


The following table shows an example of how question importance points and section weight points combine to determine the maximum potential points for each question and how each question and section's points contribute to the assessment's maximum potential points (overall %).

Name Weight Importance Overall %

Section 1 30 30/100 = 30%

Question 1.1 5 (5 / 15) * 30% = 10%

Question 1.2 10 (10 / 15) * 30% = 20%


15

Section 2 70 70/100 = 70%

Question 2.1 5 (5 / 15) * 70% = 23.3%

Question 2.2 10 (10/15) * 70% = 46.7%


15


The following table shows how pre-grades determine the actual points assigned to questions and sections in an individual questionnaire:

Name Pre-grade for answer given Weight or importance points Exposure

Section 1 30 (13 / 15) * 30 = 26


Name Pre-grade for answer given Weight or importance points Exposure

Question 1 80 5 5 * 80% = 4

Question 2 90 10 10 * 90% = 9

Section 2 70 (10 / 15) * 70 = 41

Question 2.1 100 5 5 * 100% = 5

Question 2.2 50 10 10 * 50% = 5

Assessment total 30 + 70 = 100 26 + 41 = 67

The risk score for each section is calculated using the following formula:

Section score = (total of question scores / total of question importance points) * section weight points

In this example, note that Question 2.2 has high importance; therefore, when a respondent provides an answer with a pre-grade of 50%, that answer deducts a large number of points from the available total for the question. Since its section is also weighted heavily, the answer also deducts a large number of points from the section score. There is a maximum of 100 points for the assessment, and a total score of 67 points corresponds to a residual risk score of 67% for the questionnaire.

Whether or not an engagement-level risk assessment is considered high risk depends on the Target % total value you specify for all content. If the assessment's residual risk score falls below the Target %, the questionnaire is flagged as high risk in the user interface; if the risk score falls above the Target %, the assessment is not considered high risk.

Whether or not an engagement request is considered high risk depends on the risk ratings configured for your site. You can use either the inherent risk score itself, or an associated risk rating, to drive assessment recommendations based on the engagement request's score; see How to recommend a legacy engagement-level risk assessment based on the legacy engagement request's inherent risk rating [page 260] for details.

Related Information

Weight and importance in percentage-based scoring in legacy engagement requests and engagement-level risk assessments [page 252]Pre-grades for legacy engagement requests and engagement-level risk assessments [page 247]How to add percentage-based scoring to legacy engagement requests and engagement-level risk assessments [page 255]



How to add percentage-based scoring to legacy engagement requests and engagement-level risk assessments

Adding a target percentage, weights to sections, importance to questions, and pre-grades to questions with defined or quantifiable answers allows SAP Ariba Supplier Risk to calculate percentage-based inherent risk scores for engagement requests and residual risk scores for engagement-level risk assessments.

Prerequisites


You must be a member of the Supplier Risk Manager, Customer Administrator, or Template Creator group to create or edit survey documents in the risk assessment project template.


Procedure

1. In the Content area of the survey document, from the Display dropdown menu, choose Percentage Based Scoring.

The Content area displays scoring-related fields.2. At the top of the content table, enter the Target % that defines the threshold below which an assessment is

considered high risk.

Any engagement-level risk assessment with a percentage score (defined as the number of points earned by the answers divided by the maximum potential points) below the Target % is considered high risk.

3. Specify a Weight value [page 252] for each section you want to contribute to the assessment's scoring calculation. Sections with a weight of 0 do not contribute to assessment scores.

TipThe values you assign as section weights can be any numbers, but using numbers that add up to a total of 100 available scoring points makes it easier to determine how your weight and importance settings contribute to the overall scoring calculation.

4. Specify an Importance value [page 252] of 1-10 for each question you want to contribute to the scoring, with 10 being the highest importance. Questions with an importance of 0 do not contribute to scoring.


5. For questions with quantifiable or defined answers, such as number, date, multiple choice, or Yes/No questions, to pre-grade potential answers [page 247], perform the following actions:a. In the Pre-Grade column, choose Yes from the dropdown menu.b. For each available answer to multiple choice or Yes/No questions, select a pre-grade percentage value

between 0 and 100. For number and date questions, use the From, Ideal, and To fields to define a range of answers and the pre-grades for each stage in the range.

6. Click Update to recalculate the Overall % that each section and question contributes to the total assessment questionnaire score.

7. Click Exit, then click Save and then exit

Results

Once you publish the new version of the template, SAP Ariba Supplier Risk calculates percentage-based scores for the engagement request or engagement-level risk assessment based on the survey to which you added scoring. You can see the residual risk scores for individual risk assessments in the Engagement Requests area of the Supplier Risk dashboard and individual supplier 360° profiles. Inherent risk scores for engagement requests display in the Risk score field of the Engagement request detail area of individual engagement requests.

Next Steps

If you are adding scoring to the engagement request, you can use its inherent risk score to recommend engagement-level risk assessments [page 260].

Related Information

Example: How weight, importance, and pre-grades work together in percentage-based risk questionnaire scoring in legacy engagement requests and engagement-level risk assessments [page 253]Topics about editing and publishing project templates [page 86]Weight and importance in percentage-based scoring in legacy engagement requests and engagement-level risk assessments [page 252]Pre-grades for legacy engagement requests and engagement-level risk assessments [page 247]How to recommend a legacy engagement-level risk assessment based on the legacy engagement request's inherent risk rating [page 260]



How to add point-based scoring to legacy engagement requests and engagement-level risk assessments

Adding pre-grades to questions with defined or quantifiable answers allows SAP Ariba Supplier Risk to calculate point-based inherent risk scores for engagement requests and residual risk scores for engagement-level risk assessments.

Context


You must be a member of the Supplier Risk Manager or Template Creator group to create or edit survey documents in the risk assessment project template.


By default, survey documents in the risk assessment project template use percentage-based scoring. Point-based scoring is only available in sites with the point-based scoring feature enabled.

Procedure

1. In the Content area of the survey document, from the Display dropdown menu, choose Point Based Scoring.

The Content area displays pre-grade fields.2. For questions with quantifiable or defined answers, such as number, date, multiple choice, or Yes/No

questions, pre-grade potential answers by performing the following actions:a. In the Pre-Grade column, choose Yes from the dropdown menu.b. Enter the number of points you want to award to each possible answer.

3. Click Exit, then click Save and then exit.

Results

Once you publish the new version of the template, SAP Ariba Supplier Risk calculates a score for the engagement request or engagement-level risk assessment based on the survey to which you added scoring. You can see the


residual risk scores for individual risk assessments in the Engagement Requests area of the Supplier Risk dashboard and individual supplier 360° profiles. Inherent risk scores for engagement requests display in the Risk score field of the Engagement request detail area of individual engagement requests.

Next Steps

If you are adding scoring to the engagement request, you can use its inherent risk score to recommend engagement-level risk assessments.

Related Information

Point-based scoring versus percentage-based scoring [page 119]How to recommend a legacy engagement-level risk assessment based on the legacy engagement request's inherent risk rating [page 260]Pre-grades for legacy engagement requests and engagement-level risk assessments [page 247]

How to recommend a legacy engagement-level risk assessment based on an answer in the legacy engagement request

When a user is ready to send out engagement-level risk assessments in a risk assessment project, recommended assessments appear at the top of the send assessments page and are selected by default. You can use visibility conditions to make assessments recommended based on answers in the engagement request.

Context


You recommend one or more engagement-level risk assessments based on answers to questions about inherent risk in the engagement request by using specialized field mappings and visibility conditions in a hidden requirement in the request template survey document.

Field mappings for assessment recommendations have the format assessment.<current survey document name>. You can recommend multiple assessments for a single risk rating by specifying multiple survey document names, separated by semicolons (;), after the initial assessment.



For example, if your engagement request has yes/no question about whether a supplier or third party will need access to company computer networks for the engagement, you can create an assessment called IT Security Assessment. To make this assessment recommended if the engagement requires supplier access to company computer networks, you create a hidden requirement in the engagement request survey document, map the requirement to assessment.IT Security Assessment, and apply a visibility condition to expose the requirement in risk assessment projects with a Yes answer to the computer network access question in the engagement request. This configuration specifies that when there is a Yes answer to the computer network access question in the engagement request, the IT Security Assessment assessment is recommended and is selected by default.

To recommend multiple assessments based on the same condition, construct a mapping that uses one initial assessment. value, then lists each assessment survey document name separated by semicolons (;). For example, to recommend both an IT Security Assessment and a Reputational Risk Assessment - IT Security, map the requirement to assessment.IT Security Assessment;Reputational Risk Assessment - IT Security.

Procedure

1. Create or edit a template survey document [page 169] for the engagement-level risk assessment.2. Add questions and other content to the assessment [page 169].3. In the engagement request survey document, create a visibility condition [page 183] based on the question in

the request that will trigger the recommendation of the assessment.4. Add a requirement to the reqiest [page 173] and give it the following settings:

a. Set Visible to Participant to No so that the recommendation is hidden.b. In the Supplier field mapping field, enter assessment.<current survey document name>.c. For Visibility Conditions, set the requirement to be visible when the condition matches the answer to the

question in the engagement request that triggers the recommendation.

Results

Neither project team members nor assessment recipients see the hidden requirement. However, when an answer to a question about inherent risk in the engagement request matches the visibility condition in the requirement, the requirement's mapped survey document shows as a recommended engagement-level risk assessment.

Related Information

How to create a supplier form or questionnaire [page 169]How to add a requirement to a supplier form or questionnaire [page 173]How to add a question to a supplier form or questionnaire [page 174]Using visibility conditions to show or hide content based on answers [page 183]How to recommend a legacy engagement-level risk assessment based on the legacy engagement request's inherent risk rating [page 260]


How to recommend a legacy engagement-level risk assessment based on the legacy engagement request's inherent risk rating

When a user is ready to send out engagement-level risk assessments in a risk assessment project, recommended assessments appear at the top of the send assessments page and are selected by default. You can use project-level conditions to make assessments recommended based on the engagement request's inherent risk rating.

Prerequisites


To edit the engagement risk assessment project template, you must be a member of the Template Creator group.

The engagement request must be set up to use scoring, and your site must have defined risk ratings for specific ranges of scores (such as a rating of High for a score range of 75-100) using site configuration parameters, which SAP Ariba sets. The Application.SR.Engagement.RiskScoreRanges parameter defines risk ratings for percentage-based scores; the default values are 0-50 for Low, 50-75 for Medium and 75-100 for High. With these settings, an score of 50 has a Medium rating and a score of 75 has a High rating. The Application.SR.Engagement.RiskPointBasedScoreRanges parameter defines risk ratings for point-based scores; the default values are Low:0:60 Medium:60:90 High:90:1000, meaning that scores of 0 to 59 points have a low risk rating, scores of 60 to 89 points have a medium risk rating, and scores of 90 to 1000 points have a high risk rating. With these settings, an score of 60 has a Medium rating and an score of 90 has a High rating.

You use the names of the ratings defined by these parameters to create conditions for triggering assessment recommendations.

Context

You make an engagement-level risk assessment recommended based on a risk rating derived from the engagement request's inherent risk score by using project-level conditions and specialized field mappings and visibility conditions in a hidden requirement in the request template survey document.

You can also make assessments recommended based on the answers to individual questions in the engagement request. Ratings-based recommendations ensure that specific assessments are recommended under specific conditions independent from individual answers in the engagement request. For example, you might have a Yes/No question in the engagement request where a Yes answer triggers a recommendation for a strategic risk assessment; however, if the engagement request generates an overall high inherent risk score, you might want to make the strategic risk assessment recommended even if the answer to the strategic risk question is No. Or you



might have one general assessment that you want to make recommended for low-risk engagements that otherwise wouldn't have any recommended assessments based on answers to questions.

Field mappings for assessment recommendations have the format assessment.<survey document name>. You can recommend multiple assessments for a single risk rating by specifying multiple survey document names, separated by semicolons (;), after the initial assessment..

For example, you might create an assessment called Strategic Risk Assessment to ask questions about an engagement's strategic risk, and an assessment called Reputation Risk Assessment to ask questions about an engagement's reputation risk. If your site defines a High rating for engagement request inherent risk scores between 75 and 100, you can create a project-level condition that triggers when an engagement request's inherent risk score has a High rating. To recommend these assessments for engagement requests with high risk ratings, you create a hidden requirement in the engagement request survey document, map the requirement to assessment.Strategic Risk Assessment;Reputation Risk Assessment, and apply a visibility condition using the project-level condition for risk ratings of High. This configuration specifies that when an engagement request has an inherent risk score of 75 or above, and therefore a risk rating of High, the Strategic Risk Assessment and Reputation Risk Assessment are both recommended and are selected by default.

TipThis procedure uses conditions based on risk ratings, which define standard ranges for risk scores. However, note that you can also create project-level conditions based on the risk score itself to drive assessment recommendations or perform other actions, using the Inherent Risk Score field.

Procedure

1. Open the engagement risk assessment project template. If the status is not Draft, create a new version.2. Click the Conditions tab.3. Create one or more project-level conditions that are triggered by specific engagement request risk ratings by

performing the following steps:a. Click Add Condition.b. Enter a name for the condition; it's a good idea to reference the name of the risk rating that will trigger the

condition in the condition name; for example, High Risk.c. (Optional) Enter a description for the condition.d. For the expression, click All Are True and choose Field Match

e. Choose Select more fields...f. Locate Inherent Risk Rating on the list of available fields and click Select.g. For the operator, choose is equal to.

h. To set the value, choose Select Select value , then enter the exact name of the risk rating and click OK. The value you specify must be an exact match to a risk rating defined by the Application.SR.Engagement.RiskScoreRanges or Application.SR.Engagement.RiskPointBasedScoreRanges site configuration parameter.

i. Click OK.j. Repeat these steps as necessary to add conditions for other risk score ratings.

4. Click the Documents tab.


5. Click the engagement request survey document and choose Edit.6. Click Content.7. Create one or more hidden requirements to make assessments recommended based on the engagement

request's risk rating by performing the following actions:

a. Choose Add Requirement .b. Enter a name for the requirement.c. For Visible to Participant, choose No.d. In the Supplier field mapping field, enter assessment. and the exact names of one or more assessment

survey documents, separated by semicolons (;); for example, assessment.Strategic Risk Assessment;Reputation Risk Assessment.

e. For Visibility Condition, choose none Other , then locate the project-level condition for the risk rating and click Select.

f. Click Done.g. Repeat these steps as necessary to add hidden requirements that recommend assessments for other risk

score ratings.8. Click Exit.9. Publish your updates to the engagement risk assessment project template.

Results

Despite your use of visibility conditions, neither the requester nor approvers see any hidden requirements that are not visible to participants. What the visibility condition does is trigger the requirement. Once the engagement request is submitted, SAP Ariba Supplier Risk calculates its inherent risk score, which translates into a rating. If the rating matches a visibility condition in a requirement, the requirement's mapped survey documents show as a recommended engagement-level risk assessments.

Related Information

How to recommend a legacy engagement-level risk assessment based on an answer in the legacy engagement request [page 258]Adding scoring to legacy engagement requests and risk assessments [page 246]How to add percentage-based scoring to legacy engagement requests and engagement-level risk assessments [page 255]How to create a supplier form or questionnaire [page 169]How to add a requirement to a supplier form or questionnaire [page 173]How to add a question to a supplier form or questionnaire [page 174]Using visibility conditions to show or hide content based on answers [page 183]How to recommend a legacy engagement-level risk assessment based on an answer in the legacy engagement request [page 258]



Topics about running administrative reports

How to run the Supplier Risk Summary report [page 263]

How to run new updates for risk compliance reports [page 264]

How to run the Supplier Risk Summary report

The Supplier Risk Summary report provide information how your organization is using SAP Ariba Supplier Risk features in your site, including metrics for both suppliers and user activity.

Prerequisites

You must be a member of the Supplier Risk Manager group to run the Supplier Risk Summary report.

Context

The Supplier Risk Summary report has three worksheets:

● Customer Summary, which shows:○ Total suppliers, followed suppliers, and suppliers with alerts in your site.○ Total number of alerts per incident type.○ Total number of alerts per supplier.

● User Summary - Suppliers, which shows the suppliers that each user in your company followed in the report time period and the number of alerts each user received for those suppliers.

● User Summary - Alerts, which shows the incident types that each user in your company followed in the report time period, the number of alerts each user received for those incident types, and whether or not they have enabled email notifications for those incident types.

All three worksheets show a summary of your company's risk activity in SAP Ariba Supplier Risk (total number of suppliers, suppliers followed, total number of unique alerts, and so forth).

By default, theSupplier Risk Summary report includes information on all alerts generated in the last three months. The information includes the number of alerts per incident type and per supplier in your site, the suppliers each user follows, the alerts they receive for those suppliers, and their current alert notification settings for each incident type.

Setting up SAP Ariba Supplier RiskTopics about running administrative reports C O N F I D E N T I A L 263

Procedure

1. On the Supplier Risk dashboard, click the settings icon ().

The Supplier Risk Administration page opens.2. In the left-hand navigation bar, click Reports.3. On the Report name dropdown menu, choose Supplier Risk Summary.4. (Optional) For Time Period, click in the date field and perform one of the following actions:

○ Choose one of the preset filters (Last 7 Days. Last 30 Days), Last 3 Months, or Last 6 Months).○ Choose Custom range and use the calenders to choose from and to dates for the custom date range.

5. Click Apply.6. Click Generate Report.7. Save the generated report XLSX file on your computer.

How to run new updates for risk compliance reportsRunning an update for a supplier's risk compliance reports make them available for all users to download.

Prerequisites

You must be a member of the Supplier Risk Manager group to run new updates for risk compliance reports.

Context

Your company is entitled to a maximum of 12 compliance reports per year per supplier. The first report of the year is the baseline report. All of the reports for that year after the baseline report are updates to the baseline (incremental reports). Both the baseline report and the subsequent updates count toward the maximum of 12 reports per year. After you have reached the maximum, you cannot run another update for that supplier until the next year. The Compliance tab of the Risk tile shows the number of updates that are still available for the supplier.

You must run separate updates for each supplier that has compliance reports.

Procedure

1. Click a supplier's name to open its supplier's 360° profile.2. If you are not on already the Risk tile, click it.3. On the Overview tab, click Compliance.


Topics about running administrative reports

4. Click + Request for a new report.5. Click Yes.

Results

After the update has run, users can download it from the Compliance tab.

Setting up SAP Ariba Supplier RiskTopics about running administrative reports C O N F I D E N T I A L 265

Topics about site configuration parameters for setting up SAP Ariba Supplier Risk

Site configuration parameters for engagement risk assessment projects [page 266]

Self-service site configuration parameters for engagement risk assessment projects [page 267]

Site configuration parameters for engagement risk assessment projectsSome of the functionality for risk assessment projects is controlled by configuration parameters, which SAP Ariba sets for you.Application.ACM.PhaseAutoStart

Domyślnie faza rozpoczyna się automatycznie, gdy jedno z jej zadań zostanie oznaczone jako rozpoczęte lub zakończone. Jeśli Application.ACM.PhaseAutoStart ustawiono na Nie, użytkownicy muszą ręcznie oznaczyć fazę jako rozpoczętą.

Application.ACM.PhaseAutoComplete

Domyślnie faza kończy się automatycznie po zakończeniu jej wszystkich wymaganych zadań. Jeśli Application.ACM.PhaseAutoComplete ustawiono na Nie, użytkownicy muszą ręcznie oznaczyć fazę jako zakończoną.

SAP

Application.SR.Engagement.AutoSkipAssessmentsSpecifies whether or not supplier or third-party engagement risk assessment projects with engagement requests that do not generate any engagement-level risk assessment questionnaire recommendations automatically skip the send assessments phase. If this parameter is enabled, approved engagement requests with no recommended assessments automatically move to Completed: Assessments skipped automatically status. If it is disabled, engagement requests with no recommended assessments move to the send assessments phase, and a governance expert must manually either skip or select assessments to send. The default setting is No, meaning that engagement requests that do not generate assessment recommendations still move to the send assessments phase.

NoteThis parameter is only applicable for legacy engagement risk assessment projects.



Self-service site configuration parameters for engagement risk assessment projects

Some of the functionality for control-based engagement risk assessment projects is controlled by self-service configuration parameters, which members of the Customer Administrator group can set.

For details about setting self-service site configuration parameters, see the Common Data Import and Administration Guide.

Allow engagement requests with no supplier [page 267]

Define percentage-based scoring ratings and ranges for engagement questionnaires [page 268]

Define point-based scoring ratings and ranges for engagement questionnaires [page 268]

Enable advanced archiving workflow for engagement projects [page 269]

Enable advanced engagement editing and canceling [page 269]

Enable advanced send assessment workflow for engagement projects [page 270]

Enable change project owner action on the engagement page [page 270]

Enable editability access control for the issue form [page 271]

Add issue assignees to the assignee project group only [page 271]

Enable manage project team action on the engagement page [page 272]

Enable task enhancements in engagement projects [page 272]

Hide names of empty questionnaire sections [page 273]

Process engagement request questionnaires in the background [page 274]

Process supplemental engagement questionnaires in the background [page 274]

Require issues for ineffective risk control decisions [page 275]

Restrict engagement project visibility by role [page 275]

Restrict issue project visibility by role [page 276]

Set batch size for creating assessment questionnaires [page 276]

Show only registered suppliers in engagement projects [page 277]

Allow engagement requests with no supplier

Enables requesters to submit engagement requests for control-based engagement risk assessment projects with no supplier selected.

ID Application.SR.Engagement.AllowOptionalSupplier

Name Allow engagement requests with no supplier

Default value No

Setting up SAP Ariba Supplier RiskTopics about site configuration parameters for setting up SAP Ariba Supplier Risk C O N F I D E N T I A L 267

By default, requesters cannot submit engagement requests unless they have selected a supplier for the engagement. Setting this parameter to Yes allows requesters to successfully submit engagement requests with no supplier selected..

NoteThis parameter is only applicable in control-based engagement risk assessment projects.

Define percentage-based scoring ratings and ranges for engagement questionnaires

Defines numeric ranges and names for percentage-based scoring in engagement risk assessment projects. Range values must be 0 or greater, with no gaps between range, in the format rating name:low value:high value. If there is any overlap between two ratings, the rating with the higher range is used.

ID Application.SR.Engagement.RiskScoreRanges

Name Define percentage-based scoring ratings and ranges for engagement questionnaires

Default value Low:0:50, Medium:50:75, High:75:100

Range values must be between 0 and 100, with no gaps between ranges, in the format Rating name:low value:high value.

If there is any overlap between two ratings, the rating with the higher range is used. The default values mean that scores of 0% to 49% have a low risk rating, scores of 50% to 74% have a medium risk rating, and scores of 75% to 100% have a high risk rating. Note that the default ranges assume that your pre-grading assigns higher scores high-risk answers and lower scores for low-risk answers. You can specify any number of ranges, with a maximum high value of 100%.

Define point-based scoring ratings and ranges for engagement questionnaires

Defines numeric ranges and names for point-based scoring in engagement risk assessment projects. Range values must be 0 or greater, with no gaps between range, in the format rating name:low value:high value. If there is any overlap between two ratings, the rating with the higher range is used.

ID Application.SR.Engagement.RiskPointBasedScoreRanges

Name Define point-based scoring ratings and ranges for engagement questionnaires

Default value Low:0:60,Medium:60:90,High:90:1000

Range values must be 0 or greater, with no gaps between ranges, in the format Rating name:low value:high value.

If there is any overlap between two ratings, the rating with the higher range is used. The default values mean that scores of 0 to 59 points have a low risk rating, scores of 60 to 89 points have a medium risk rating, and scores of 90



to 1000 points have a high risk rating. Note that the default ranges assume that your pre-grading assigns more points for high-risk answers and fewer points for low-risk answers. You can specify any number of ranges, with a maximum high value of 1000 points.

Enable advanced archiving workflow for engagement projects

Enables the advanced workflow for archiving control-based engagement risk assessment projects. The simple workflow archives the project in one step. In the advanced workflow, an archive request starts tasks in an archiving phase, and the project is archived after those tasks are completed.

ID Application.SR.Engagement.EnableAdvancedArchiveWorkflow

Name Enable change project owner action on the engagement page

Default value No

In sites where the engagement risk assessment project archiving feature is enabled, the default behavior is a simple archiving workflow where users with the appropriate permissions archive engagement projects in a single step. Setting this parameter to Yes enables the advanced archiving workflow, where an archive request starts a workflow defined by tasks in an archiving phase in the engagement risk assessment project template. The engagement project can only be archived after those tasks are complete.

To fully enable the advanced archiving workflow in your site, in addition to enabling this parameter, a template creator must also set up the archiving phase in the engagement risk assessment project template. The advanced archiving workflow does not function correctly without the required project template configuration.

There is currently no way to upgrade existing engagement risk assessment projects to the latest published version of the template. The simple archiving workflow allows you to archive any completed engagement risk assessment project, but the advanced workflow only works in projects that were created from a version of the template that includes the archiving phase.

TipIf you want to implement the advanced archiving workflow, and your site includes completed engagement risk assessment projects that require archiving but were created from a previous version of the template that did not include the archiving phase, you can use the simple workflow to archive those projects before enabling the advanced workflow.


Enable advanced engagement editing and canceling

Enables the ability to edit or cancel control-based engagement risk assessment projects at any point before the project is completed, rather than only up until the point where assessments are sent.


ID Application.SR.Engagement.AllowAdvancedEditCancel

Name Enable advanced engagement editing and canceling

Default value No

By default, users with the appropriate permissions can edit or cancel control-based engagement risk assessment projects only up to the point where assessments are sent. Setting this parameter to Yes enables the advanced editing and canceling feature, which allows users to edit or cancel control-based engagement risk assessment projects in any phase up to the point of final approval and provides a resubmission workflow to handle edits that are flagged as requiring reapproval or that introduce significant changes.


Enable advanced send assessment workflow for engagement projects

Enables the advanced workflow for sending assessments in control-based engagement risk assessment projects. The simple workflow sends all assessments in one step. The advanced workflow includes the ability to send different assessments in separate rounds and to choose recipients.

ID Application.SR.Engagement.EnableAdvancedSendAssessment

Name Enable advanced send assessment workflow for engagement projects

Default value No

By default, control-based engagement risk assessments use the simple workflow for sending assessments, where completing the send assessments To Do task sends all required assessments to default recipients in a single action. Setting this parameter to Yes enables the advanced workflow, which allows the owner of the send assessments To Do task to send selected assessments in separate rounds and choose recipients for each assessment.


Enable change project owner action on the engagement page

Enables users with the appropriate permissions to change the project owner of a control-based engagement risk assessment project from the engagement page.

ID Application.SR.Engagement.ChangeOwnerAction




Default value No

By default, the requester who creates a control-based engagement risk assessment project is the explicit project owner and cannot be removed from its Project Owners project group. The only way to change the project owner is through the use of a question of type User mapped to project.Owner in either the business details or inherent risk screening questionnaire in the engagement request, and that option is only available when the engagement request is editable.

Setting this parameter to Yes adds a Change owner action to the Action menu on the engagement page. Users with the appropriate permissions can use it to change the project owner in any phase of the project.


Enable editability access control for the issue form

Enables editability access control for the issue form in issue management projects. Template creators can use editability access control to restrict who has permission to edit specific sections of the issue form based on role.

ID Application.SR.IssueManagement.UseTeamAccessForReadOnly

Name Enable editability access control for the issue form

Default value No

Setting this parameter to Yes enables role-based editability access control for the issue form in issue management projects. This access control allows you to restrict who can edit specific sections of the issue form based on either project role or membership in specific global user groups that define project permissions.

If you have also enabled Add issue assignees to the assignee project group only [page 271], so that issue assignees are not added to the Project Owners project group, you can use access control to ensure that issue creators (members of the Project Owner group) and issue assignees can only edit appropriate sections of the issue form.


Add issue assignees to the assignee project group only

Specifies whether assignees are added to only the assignee project group in issue management projects or are also added to the Project Owner group. When assignees are added only to the assignee group, template creators can define separate task ownership and editability access control for assignees and project owners.

ID Application.SR.IssueManagement.AddAssigneeToAssigneeTeamOnly


Name Add issue assignees to the assignee project group only

Default value No

By default, issue assignees are added to the Project Owner project group as well as the dedicated issue assignee project group if your issue management project template includes it.

Setting this parameter to Yes adds issue assignees only to the dedicated assignee project group so that they do not have Project Owner permissions.

In addition to enabling this parameter, if your issue management project template does not already include a dedicated assignee group, a template creator must also add a project group named Assignee to the issue management template. The presence of that project group in the published issue management project template is required for the behavior enabled by this parameter to function correctly.

If you have also enabled Restrict issue project visibility by role [page 276], you can use access control to ensure that issue creators (members of the Project Owner group) and issue assignees can only edit the appropriate sections of the issue form and that assignees and creators cannot edit the same sections of the form.


Enable manage project team action on the engagement page Enables users with the appropriate permissions to manage membership of the Project Owner group in control-based engagement risk assessment projects on the engagement page.

ID Application.SR.Engagement.ManageProjectTeamAction


Default value No

By default, the only way to add or remove members from the Project Owner project group of a control-based engagement risk assessment project is through the advanced view, where only members of the Supplier Risk Engagement Governance Analyst global user group can edit project teams.

Setting this parameter to Yes adds a Manage project team action to the Action menu on the engagement page. Users with the appropriate permissions can use it to manage the membership of the Project Owner project group.


Enable task enhancements in engagement projects Enables enhancements to certain tasks in control-based engagement risk assessment projects, including the ability to resubmit some approval tasks; the ability to request more information when approving supplemental



engagement questionnaires; and the ability to save supplemental engagement questionnaires without submitting them.

ID Application.SR.Engagement.TaskEnhancementsForERProjects

Name Enable task enhancements in engagement projects

Default value Yes

The default setting, Yes, adds the following functionality to tasks in control-based engagement risk assessment projects:

● Saving supplemental engagement questionnaires that are in progress. When this parameter is set to No, the owners of To Do tasks for editing supplemental engagement questionnaires must either submit the questionnaires and complete the To Do tasks or cancel and lose their answers.Requesting additional information on supplemental engagement questionnaires. When this parameter is set to No, approvers can only approve or deny supplemental engagement questionnaires..Resubmitting some approvals to change approval decisions. When this parameter is set to No and approvers complete applicable approval tasks, those approval decisions are final.


Hide names of empty questionnaire sections

Specifies whether the names of sections that do not contain any content show in the questionnaires defined in the engagement risk assessment project template, including engagement request questionnaires.

ID Application.SR.Engagement.HideEmptySectionHeader

Name Hide names of empty questionnaire sections

Default value No

Setting this parameter to Yes hides the names of any sections in questionnaires defined by survey documents in the control-based engagement risk assessment project template that do not contain content. In some cases, visibility conditions or engagement attribute mappings can result in questionnaires with empty sections because their content is hidden due to visibility conditions or engagement attribute mappings. If your control-based engagement risk assessment project setup results in this situation, you can use this parameter to hide the section names as well.



Process engagement request questionnaires in the background

Specifies whether or not the business details and inherent risk screening questionnaires in control-based engagement risk assessment projects use a background process for submission. While the background process is in progress, the requester can continue with the next step of the request but cannot proceed further.

ID Application.SR.Engagement.Async.SubmitQuestionnaire

Name Process engagement request questionnaires in the background

Default value No

By default, when a requester submits either the business details or inherent risk screening questionnaire in the engagement request by clicking Next, the questionnaire is processed immediately and the requester cannot navigate to the next step of the request until the processing is complete. Setting this parameter to Yes can mitigate performance problems with submission of those questionnaires. When it is enabled, once the requester submits the current questionnaire by clicking Next, the next step of the engagement request opens immediately while the current questionnaire submission processes in the background. The navigation buttons on that next step do not show until the questionnaire submission is complete.


Process supplemental engagement questionnaires in the background

Specifies whether or not supplemental engagement questionnaires in control-based engagement risk assessment projects use a background process for submission. The next task in the workflow does not start until submission is complete.

ID Application.SR.Engagement.Async.SubmitSecondaryDoc

Name Process supplemental engagement questionnaires in the background

Default value No

By default, when the owner of the To Do task that enables editing a supplemental engagement questionnaire submits the questionnaire, the questionnaire is processed immediately and the engagement page does not reopen until processing is complete. Setting this parameter to Yes can mitigate performance problems with submission of these questionnaires. When it is enabled, once the owner of the To Do task has submitted the questionnaire, the engagement page opens immediately while the questionnaire submission processes in the background. The To Do task is not actionable while the submission is processing, but it does not show on the Completed tasks tab, and any approval task for which it is predecessor does not start, until the submission is complete.




Require issues for ineffective risk control decisions

Specifies whether or not control decision makers can mark controls that do not have any issues ineffective in engagement risk assessment projects.

ID Application.SR.Engagement.RequireIssueForIneffectiveControlDecision

Name Require issues for ineffective risk control decisions

Default value No

Control-level issues can capture the process used to reach ineffective decisions for a control, and are available in other engagement risk assessment projects that use the control and where control decision makers might need to reevaluate the control decision. When the optional issue check feature is enabled in a site, it checks for related issues every time a control decision maker marks a control as ineffective. When this feature is enabled, the settings for this parameter specify the following behavior when a control decision maker marks a control as ineffective and is has no related issues::

● The default setting, No, results in a popup that asks the decision maker if they want to create an issue and provides navigation for doing so, but issue creation is optional. The decision maker can cancel out of the popup and finish marking the control as ineffective..

● Setting this parameter to Yes results in a popup that informs the decision maker that an issue is required and provides navigation for creating one. The decision maker cannot mark the control as ineffective until there is at least one issue associated with the control.


Restrict engagement project visibility by role

Restricts who can view control-based engagement risk assessment projects by global user group membership and project group membership.

ID Application.SR.Engagement.EngagementVisibilityFilterByRole

Name Restrict engagement project visibility by role

Default value Yes

The default setting of this parameter, Yes, restricts the permission of members of engagement-related global user groups to view engagement risk assessment projects as follows:

● Users in the Supplier Risk Engagement Requestor global user group can only see those engagement risk assessment projects for which they are a member of the Project Owner project group.

● Users in the Supplier Risk Engagement Expert global user group can only see those engagement risk assessment projects in which they are either members of the Project Owner project group or control decision makers.

● Users in the Supplier Risk Engagement Governance Analyst group can see all engagement risk assessment projects.

If you set this parameter to No, all users can view all engagement risk assessment projects in your site.



Restrict issue project visibility by role

Restricts who can view issue management projects by global user group membership and project group membership.

ID Application.SR.IssueManagement.IssueVisibilityFilterByRole

Name Restrict issue project visibility by role

Default value Yes

The default setting of this parameter, Yes, restricts the permission of members of engagement-related global user groups to view issue management projects as follows:

● Users in the Supplier Risk Engagement Requestor global user group can only see those issues for which they are a member of the Project Owner project group.

● Users in the Supplier Risk Engagement Expert global user group can only see those issues in which they are either members of the Project Owner project group or assignees.

● Users in the Supplier Risk Engagement Governance Analyst group can see all issue management projects.


Set batch size for creating assessment questionnaires

Specifies the number of modular questionnaire projects the system creates in each batch when assessments are sent in engagement risk assessment projects. The system creates new batches of assessment questionnaires at intervals. You can specify a value between 1 and 100.

ID Application.SR.Engagement.CreateQuestionnaireBatchSize

Name Set batch size for creating assessment questionnaires

Default value 20

Sending assessments in a control-based engagement risk assessment project involves the creation of a new modular supplier management questionnaire project for every assessment required by the engagement that was not already completed in another engagement risk assessment project. If your engagement risk assessment process requires a large number of assessments for each engagement project, there can be some delay between when assessments are sent and when the assessment modular questionnaire projects are created as the system generates batches of them at internals. Setting this parameter to a number higher than the default value can help speed this process by using larger batches.




Show only registered suppliers in engagement projects

Filters suppliers to show only those with approved registration projects during the supplier selection step in control-based engagement risk assessment projects.

ID Application.SR.Engagement.ShowRegisteredSuppliersOnly

Name Show only registered suppliers in engagement projects

Default value No

By default, the supplier selection step of the engagement request in control-based engagement risk assessment projects shows all suppliers in your site. Setting this parameter to Yes means that only suppliers with a Registered registration status show in this step. This filter steers requesters toward selecting suppliers for whom you have already collected information and performed basic due diligence.

Only set this parameter to Yes if your site uses supplier registration projects. Suppliers can only achieve a Registered registration status through an approved registration project. Registration projects are only available in solutions that include SAP Ariba Supplier Lifecycle and Performance or SAP Ariba Supplier Information and Performance Management (new architecture), where the registration project template must be set up and published. There is no other way to set registration status for a supplier.



Revision history

The following table provides a brief history of the updates to this guide. SAP Ariba updates the technical documentation for its On Demand solutions if:

● software changes delivered in service packs or hot fixes require a documentation update to correctly reflect the new or changed functionality.

● the existing content is incorrect or user feedback indicated that important content is missing.

SAP Ariba reserves the right to update its technical documentation without prior notification. Most documentation updates will be made available the same week the software service packs are released, but critical documentation updates may be released at any time.

Month/Year of Update Updated Topic Short Description of Change

November 2019 Restrictions, requirements, and helpful hints for setting up the supplier risk engagement project template for control-based engagement risk assessments

Removed references to default template tasks and phases. Template creators must add phases and tasks to the template after deployment.


Added topic.

● Adding supplier data in solutions that include SAP Ariba Supplier Risk

● Topics about importing risk-related site master data in Ariba Administrator

Moved information about importing supplier data in different SAP Ariba landscapes and all information about master data imports for control-based engagement risk assessment projects to a separate new guide, Supplier risk data import.

Throughout Removed cross-references to topics that were moved to Supplier risk data import.

Optional features for control-based engagement risk assessments

Added the following new optional features:

● ARI-4942: Check for issues before marking a control as ineffective● ARI-6507: Registered suppliers filter for supplier selection in enga

gement requests● ARI-6917: Archiving for completed engagement risk assessment

projects (advanced workflow)

Setting up phases and tasks for control-based engagement risk assessment projects

● Updated topic title.● Removed references to default template tasks and phases.● Clarified best practices for predecessors to ensure that project

tasks display correctly in the process flow graph on the engagement phase and start in a timely manner.

● Added Project Archiving phase.


Revision history


Setting up supplemental engagement questionnaires

Clarified best practices for using predecessors to ensure that project tasks display correctly in the process flow graph on the engagement phase and start in a timely manner.

Supplier field mappings for control-based engagement risk assessment projects

● Added information about syntax for multiple mappings for the same question.

● Added initial capitalization for project.Materiality, project.Criticality, and project.Outsourcing mappings.

Notifications related to projects SAP Ariba sends notifications to users added or removed from project groups even if they are not members of a project group with the Active Team Member or Project Owner role.

Notifications related to control-based engagement risk assessment projects

Added notifications for project archiving.

Site configuration parameters for engagement risk assessment projects

Removed self-service site configuration parameters from this topic.

Self-service site configuration parameters for engagement risk assessment projects

Added a new section with improved description of self-service site configuration parameters, including the following new parameters:

● Application.SR.Engagement.RequireIssueForIneffectiveControlDecision

● Application.SR.Engagement.ShowRegisteredSuppliersOnly

● Application.SR.Engagement.EnableAdvancedArchiveWorkflow.

The second permission in the description for Application.SR.Engagement.EngagementVisibilityFilterByRole now refers to Supplier Risk Engagement Expert rather than Supplier Risk Engagement Governance Analyst.

August 2019 How to append external IDs to supplier profiles

Added topic.

Understanding how risk exposure is calculated

Added topic.

How to make an ineligible supplier eligible for monitoring

Added topic.

About risk controls in SAP Ariba Supplier Risk

Updated information about service-level controls and added information about being able to review pending controls in any engagement where they are required.

The control-based engagement risk assessment process

Added information about the post-project approval phase and supplemental engagement questionnaires.

Setting up SAP Ariba Supplier RiskRevision history C O N F I D E N T I A L 279


Restrictions for control-based engagement risk assessment projects

Renamed topic and removed the restriction on where control decision makers reviewed pending controls. Control decision makers can now review pending controls in any active engagement risk assessment project that uses them.

The issue management process for risk controls and control-based engagement risk assessment projects

Added information about:

● How assignees are added to issues.● Possible access control restrictions on individual sections of the

issue form.● How engagement risk assessment projects now include control-le

vel issues and inherent risk ratings from previous engagements that used the same vendor- and service-level controls.

Optional features for control-based risk assessments

Added the following optional features:

● ARI-5959: Issue assignee team management● ARI-6785: Role-based editability for issues in control-based enga

gement risk assessment projects

Understanding the components of the control-based engagement risk assessment process

Added the optional post-project approval phase.

About the supplier risk engagement project template for control-based engagement risk assessment projects

Added information about supplemental engagement questionnaires and updated information on how a user can become a project owner.

Restrictions, requirements, and helpful hints for setting up the supplier risk engagement project template for control-based engagement risk assessment projects

Added information about the post-project approval phase, creating a question in the engagement request business details questionnaire to set the project owner, and using supplemental engagement questionnaires.

Setting up the business details questionnaire in the engagement request

Added information about creating a question to set the project owner.

Setting up control-based engagement risk assessment project tasks

Added information about the post-project approval phase and setting up the project approval phase so that approvers can resubmit a denied approval.

About the issue management project template

Added information about how members are added to the assignee project group and how the issue or issue creator might or might not become a member of the Project Owner project group, depending on site configuration.

Restrictions, requirements, and helpful hints for setting up the issue management project template

Added the following items:

● A requirement for adding an Assignee project group in sites that use the issue assignee team management feature.

● A helpful hint on setting up editability access control restrictions.


Revision history


● Setting up access control for editing sections of the issue form

● Setting up supplemental engagement questionnaires

● Notifications related to control-based engagement risk assessment projects

Added new topics.

Supplier field mappings for control-based engagement risk assessment projects

Added the project.Owner mapping.

Customizing the issue page Added a question about issue probability to the list of default questions in the issue form.

Site configuration parameters for risk assessment projects

Added Application.SR.Engagement.EngagementVisibilityFilterByRole, Application.SR.Engagement.Async.SubmitQuestionnaire, and Application.SR.Engagement.Async.SubmitSecondaryDoc.

● Adding supplier data in solutions that include SAP Ariba Supplier Risk but do not include SAP Ariba Supplier Lifecycle and Performance

● Importing suppliers from sourcing (manual supplier migration)

● How to manually migrate supplier organization data

● Options for migrating ERP vendor IDs to the unified vendor model

● Supplier organization-to-unified-vendor-model field mappings

Added new topics about how to add supplier data to SAP Ariba Supplier Risk in various solution combinations.



May 2019 ● Configuring risk exposure● Topics about configuring

risk exposure● Supplier risk exposure● Understanding the risk ex

posure configuration interface

● How to specify the data sources used in risk exposure calculations

● How to set category weights and thresholds

● How to define values and risk exposures for fields

● Defining fields in the risk model

Risk exposure configuration worksheet eliminated and replaced with a comprehensive user interface within SAP Ariba Supplier Risk, including changing the range of risk exposure measurements from 1-5 to 1.00-100.00. Topics revised or replaced.

How to import supplier data ● Added mention of an alternate path to SM Administration.● Noted that you can only use the Suppliers from Sourcing data

import task to import the SupplierOrganizationExport.zip file, not the individual CSV files it contains.

Defining engagement control mappings

● Added mapping to inherent risk score.● Added logical AND, OR, and grouping syntax for

ConditionAnswers and ConditionQuestions fields.

● Updated requirements for various fields, which can be interdependent, and added a description of how the system matches request answers to mappings.

Which supplier management projects are eligible for template upgrade?

Added bullet to list of upgrade eligibility conditions

How to run the Supplier Risk Summary Report

Consolidated the former How to run risk metrics reports and Viewing your company's SAP Ariba Supplier Risk activity with the risk metrics report topics in this renamed topic and updated navigation.

● Risk assessment status data import file format

● Workflow for setting up control-based engagement risk assessment projects

Added information about importing risk assessment status data and added this optional step to the workflow topic.

Prerequisites for setting up control-based engagement risk assessment projects

Added a prerequisite for the optional enhanced send assessments workflow feature.

Optional features for control-based engagement risk assessment projects

Added new topic.


Revision history


Limitations for control-based engagement risk assessment projects

Removed the limitations around sending assessments, which are still present in the default, simple workflow but which are no longer present in the optional enhanced workflow.

● Restrictions, requirements, and helpful hints for setting up the supplier risk engagement project template for control-based engagement risk assessments

● Restrictions, requirements,and helpful hints for setting up modular supplier management project templates

● Restrictions, requirements, and helpful hints for setting up the issue management project template

Added recommendation for maximum number of content items in questionnaires.

February 2019 Defining commodity risk classifi-cations

Added a tip about only using one method (either commodity risk classifications or scoring of the inherent risk assessment questionnaire in the engagement request) to generate an inherent risk rating for the engagement to avoid conflicting ratings.

How to edit a project template Added information about supplier management projects to table describing how creating and publishing a new template version can affect existing projects.

How to revert a project template Added topic.



● Defining modular supplier management questionnaire types


● Limitations for control-based engagement risk assessment projects

● About risk controls in SAP Ariba Supplier Risk

● The control-based engagement risk assessment process

● About modular supplier management questionnaire project templates

● About modular supplier management questionnaires in control-based engagement risk assessment projects

● How to set up a modular supplier management questionnaire

Added information about internal assessment questionnaires for control-based engagement risk assessment projects.

● Control-based engagement risk assessment projects versus legacy engagement risk assessment projects

● Prerequisites for setting up control-based engagement risk assessment projects

● About risk controls in SAP Ariba Supplier Risk

● The control-based engagement risk assessment process

● Site configuration parameters for risk assessment projects

Added information about the option to allow requesters to submit a request for a control-based engagement risk assessment with no supplier selected.


Revision history



● Limitations for control-based engagement risk assessment projects

● Setting up the inherent risk screening questionnaire in the engagement request

● Setting up inherent risk ratings for control-based engagement risk assessment projects

● Point-based scoring versus percentage-based scoring

● About scoring points● About pre-grading supplier

questionnaires● Structural considerations

for scoring supplier questionnaire content

● How to add scoring to the engagement request inherent risk screening questionnaire

Added information about scoring the engagement request inherent risk screening questionnaire.


Added topic.

November 2018 ● Defining risk classifications● Defining commodity risk

classifications● Defining risk probabilities● Defining risk severities● Defining residual risk map

pings● Risk control status data im

port file format● Workflow for setting up con

trol-based engagement risk assessment projects

Added new data import tasks.



● The issue management process for risk controls and control-based engagement risk assessment projects

● Setting up residual risk based on issue probability and severity in control-based engagement risk assessment projects

● Customizing the issue page

Added information about using issue probability and severity to rate the residual risk of an issue and its associated engagement risk assessment project.

October 2018 Throughout Updated 'risk score' terminology to 'risk exposure' throughout document.

SAP Ariba Supplier Risk users Updated to indicate the permissions various groups have in control-based engagement risk assessment projects and legacy engagement risk assessment projects.

Importing supplier risk-related data

● Added a section about importing site master data in Ariba Administrator with topics for master data related to control-based engagement risk assessment projects.

● Moved topics about importing supplier-related data in SM Administration to a separate section and added topics about defi-ning supplier qualifications for control-based engagement risk assessment projects.

Setting up supplier or third-party engagement risk assessments

● Added topics about setting up new control-based engagement risk assessment projects defined by the Supplier Risk Engagement Template.

● Added new topics about setting up modular supplier management questionnaire project templates for use in control-based risk assessments.

● Reorganized all topics related to project setup.● Updated all topics related to engagement risk assessment pro

jects defined by the Supplier Engagement Risk Assessment Project Template to indicate their legacy status.

September 2018 ● Best practices and helpful hints for the risk assessment project template

● Example: how to create a conditional approval flow based on the risk assessment project's region

Corrected supplier field mappings.


Revision history


July 2018 Supplier data import file format Noted that the smVendorId and s4OrgSystemId fields are included in data export and the sample file, but do not need to be present in data imports.

Supplier contact data import file format

Noted that the supplierName field is included in data export and the sample file, but does not need to be present in data imports.

How to add a question to a supplier form or questionnaire

Added the Tooltip option for engagement requests.

● The risk assessment process

● Workflow for setting up risk assessment projects

● Prerequisites for setting up risk assessment projects

● The engagement risk issue management process

● About the issue management project template

● Restrictions, requirements, and helpful hints for setting up the issue management project template

● Customizing the issue page● Tasks and phases in the de

fault issue management workflow

Added information about issue management projects and how to set them up.



● Adding scoring to engagement requests and risk assessments

● Point-based scoring versus percentage-based scoring

● Pre-grades for engagement requests and engagement-level risk assessments

● Weight and importance in percentage-based scoring

● Example: how weight, importance, and pre-grades work together in percentage-based risk questionnaire scoring

● How to add percentage-based scoring to engagement requests and engagement-level risk assessments

● How to add point-based scoring to engagement requests and engagement-level risk assessments

● How to recommend an engagement-level risk assessment based on the engagement request's inherent risk rating

● Site configuration parameters for risk assessment projects

Added information on the new point-based scoring option and clarified which information applies to percentage-based scoring only.

May 2018 ● Supplier risk scoring● How to inactivate risk inci

dents

Added new topic and note about inactivating risk incidents

March 2018 How to map suppliers and ERP commodity codes for forced labor

Added new topic


Revision history


March 2018 ● The risk assessment process

● Adding scoring to engagement requests and risk assessments

● Weight and importance● Pre-grades● Example: How weight, im

portance, and pre-grades work together in risk questionnaire scoring

● How to add scoring to engagement requests and engagement-level risk assessments

● How to recommend an engagement-level risk assessment based on an answer in the engagement request

● How to recommend an engagement-level risk assessment based on the engagement request's risk rating

Site configuration parameters for risk assessment projects

Added Application.SR.Engagement.RiskScoreRanges.


Important Disclaimers and Legal Information

HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related LanguageWe try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

Videos Hosted on External PlatformsSome videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the control or responsibility of SAP.


Important Disclaimers and Legal Information

Setting up SAP Ariba Supplier RiskImportant Disclaimers and Legal Information C O N F I D E N T I A L 291

www.ariba.com

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.

THE BEST RUN

http://www.ariba.com

https://www.sap.com/about/legal/trademark.html

Setting up SAP Ariba Supplier Risk

Documents

Transcript of Setting up SAP Ariba Supplier Risk