Supplier risk data import - SAP Help Portal

PUBLIC2021-11

Supplier risk data importSAP Ariba Supplier Risk

© 2

021 S

AP S

E or

an

SAP affi

liate

com

pany

. All r

ight

s re

serv

ed.

THE BEST RUN

Content

Supplier risk data import. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Adding supplier data in solutions that include SAP Ariba Supplier Risk but do not include SAP Ariba Supplier Lifecycle and Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Adding SAP Ariba Supplier Risk to SAP Ariba Sourcing, SAP Ariba Contracts, or SAP Ariba Supplier Information and Performance Management (classic architecture) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Adding SAP Ariba Supplier Risk to SAP Ariba Procurement solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Adding SAP Ariba Procurement solutions to standalone SAP Ariba Supplier Risk . . . . . . . . . . . . . . . . . . 10

Topics about importing risk-related site master data in Ariba Administrator. . . . . . . . . . . . . . . . . . 11About importing site master data for supplier risk projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Best practices for creating and updating risk control definitions and engagement control mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12About site master data for control-based engagement risk assessments. . . . . . . . . . . . . . . . . . . . . . . . 14Defining engagement attribute mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Defining engagement control mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Defining risk controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Defining risk types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Defining risk classifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Defining commodity risk classifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Defining risk probabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Defining risk severities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Defining residual risk mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Defining modular questionnaire types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Language values for defining translations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Topics about importing supplier-related data in SM Administration. . . . . . . . . . . . . . . . . . . . . . . . 43About importing supplier-related data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43How to import supplier data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Importing suppliers from sourcing (manual supplier migration). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

How to manually migrate supplier organization data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Options for migrating ERP vendor IDs to the unified vendor model. . . . . . . . . . . . . . . . . . . . . . . . . . 51Supplier organization-to-unified-vendor field mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

How imported supplier data affects risk corporate enrichment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Supplier data file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Supplier contact data file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Defining supplier qualifications for control-based engagement risk assessment projects. . . . . . . . . . . . . 64

Supplier qualification data file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

2 PUBLICSupplier risk data import

Content

Preferred supplier data file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69User matrix (buyer category assignment) data file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73Supplier risk data import file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Importing status data for assessments and risk controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Risk control status data import file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Risk assessment status data import file format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Supplier risk data importContent PUBLIC 3

Supplier risk data import

This guide is for SAP Ariba administrators to define and import supplier risk data, including master data required for control-based engagement risk assessment projects.

Buyers monitor the potential risk exposure of their current suppliers and assess the potential risk of new suppliers before engaging with them for goods and services.

This guide applies to:

● SAP Ariba Supplier Risk

Related guides

Setting up SAP Ariba Supplier Risk

Monitoring supplier risk

Common data import and administration guide for SAP Ariba Strategic Sourcing and Supplier Management solutions


Supplier risk data import

https://help.sap.com/viewer/9f1416275035435eb8563fe6d3bf2640/cloud/en-US/e15b83ac8ced4c169bc23791811a9aa6.html

https://help.sap.com/viewer/948547c2cb5f4b0183ab94c7bd62be5f/cloud/en-US/a292c395de924a5db89afc68a6561ebd.html

https://help.sap.com/viewer/b6d46a2e6c3043d7bb0cbabba4262560/cloud/en-US/0edd1d1418214bcb9cd3579388c4ddf4.html

https://help.sap.com/viewer/b6d46a2e6c3043d7bb0cbabba4262560/cloud/en-US/0edd1d1418214bcb9cd3579388c4ddf4.html

Adding supplier data in solutions that include SAP Ariba Supplier Risk but do not include SAP Ariba Supplier Lifecycle and Performance

Your overall SAP Ariba solution package and the order of solution deployment determine the steps you use to add supplier data. These steps are designed to maintain a single, linked record for each supplier across all of the solutions in your SAP Ariba landscape.

If you are adding SAP Ariba Supplier Risk to an existing solution package that includes any SAP Ariba Procurement solutions, SAP Ariba Sourcing, SAP Ariba Contracts, or SAP Ariba Supplier Information and Performance Management (classic architecture), but does not include SAP Ariba Supplier Lifecycle and Performance or SAP Ariba Supplier Information and Performance Management (new architecture), you must migrate your existing supplier data to SAP Ariba Supplier Risk. SAP Ariba Supplier Risk uses the unified vendor model, and it synchronizes supplier data with your other SAP Ariba solutions in specific ways. In this case, adding supplier data to SAP Ariba Supplier Risk involves the following general steps:

1. Manually migrating [page 49] supplier data to the unified vendor model. Do not add new suppliers using the Suppliers data import task in SM Administration. If the suppliers already exist in your SAP Ariba landscape, adding them separately to the unified vendor model through a separate data import in SM Administration causes data problems.

2. Enabling vendor and vendor contact push schedule tasks after migration so that as you add and update suppliers in the SAP Ariba solution that serves as the source of truth for your SAP Ariba supplier data, those changes are automatically pushed to the the unified vendor model and available in SAP Ariba Supplier Risk as well. These scheduled tasks are designed to push incremental changes to supplier data to the supplier database in the unified vendor model. They do not add large numbers of suppliers to the unified vendor model at one time and cannot serve as a substitute for the migration step. They are not designed for bulk pushes and should not be enabled until the initial migration is complete. These scheduled tasks are enabled by the site configuration parameters Application.SM.VendorPushTaskEnabled and Application.SM.VendorContactPushTaskEnabled, which SAP Ariba sets for you.

The specific steps you take depend on your specific scenario:

● Adding SAP Ariba Supplier Risk to SAP Ariba Sourcing, SAP Ariba Contracts, or SAP Ariba Supplier Information and Performance Management (classic architecture) [page 6]

● Adding SAP Ariba Supplier Risk to SAP Ariba Procurement solutions [page 7]

If you are adding one or more SAP Ariba Procurement solutions to an existing, standalone SAP Ariba Supplier Risk solution, see Adding SAP Ariba Procurement solutions to standalone SAP Ariba Supplier Risk [page 10].

NoteSAP Ariba Procurement solutions and SAP Ariba Strategic Sourcing solutions can share supplier data, but they do not share supplier user data. You must always maintain supplier users separately for SAP Ariba Strategic Sourcing solutions, including SAP Ariba Supplier Risk.

Supplier risk data importAdding supplier data in solutions that include SAP Ariba Supplier Risk but do not include SAP Ariba Supplier Lifecycle and Performance PUBLIC 5

Adding SAP Ariba Supplier Risk to SAP Ariba Sourcing, SAP Ariba Contracts, or SAP Ariba Supplier Information and Performance Management (classic architecture) If your site includes only SAP Ariba Sourcing, SAP Ariba Contracts, or SAP Ariba Supplier Information and Performance Management (classic architecture), you maintain supplier organizations in those solutions and migrate or push supplier data to SAP Ariba Supplier Risk.

The following diagram illustrates the flow of supplier data in this scenario:

In this scenario, you add and maintain supplier organization and supplier user data in SAP Ariba Sourcing, SAP Ariba Contracts, or SAP Ariba Supplier Information and Performance Management (classic architecture) using the supplier organization and supplier user data import and export tasks in Ariba Administrator, the SAP Ariba integration toolkit, SOAP web service integration, or the SAP Ariba Cloud Integration Gateway. Sourcing events, contracts, and supplier workspace and supplier performance management projects all use this supplier organization and supplier user data.

To add suppliers to SAP Ariba Supplier Risk:

1. For the initial load of suppliers into SAP Ariba Supplier Risk, use manual migration [page 49]. Make sure that you correctly migrate the desired ERP vendor IDs to the unified vendor model used by SAP Ariba Supplier Risk, especially if you might add or upgrade to SAP Ariba Supplier Lifecycle and Performance at any point.

2. Request that SAP Ariba enable the vendor and vendor contact push tasks. After the initial migration, as you add to and update that data, the vendor push tasks push those changes to the unified vendor model that SAP Ariba Supplier Risk uses.

You can import some additional supplier-related data into the unified vendor model, such as preferred and qualified statuses.

NoteIf you add or upgrade to SAP Ariba Supplier Lifecycle and Performance, it becomes the source of truth for supplier data in your site instead of supplier organizations, which become read-only. In this case, if your site

6 PUBLIC

Supplier risk data importAdding supplier data in solutions that include SAP Ariba Supplier Risk but do not

include SAP Ariba Supplier Lifecycle and Performance

integrates with SAP ERP, SAP S/4HANA (on-premise), or SAP S/4HANA Cloud using SAP Ariba Cloud Integration Gateway, SAP Ariba recommends disabling the vendor and vendor contact push tasks to prevent unnecessary integration messages to the ERP system.

Adding SAP Ariba Supplier Risk to SAP Ariba Procurement solutions If your site includes SAP Ariba Buying, SAP Ariba Buying and Invoicing, or SAP Ariba Catalog, you maintain common suppliers in those solutions. The method you use to add those suppliers to SAP Ariba Supplier Risk depends on whether or not your site is suite integrated.

Suite integration connects the two parts of the SAP Ariba suite, SAP Ariba Procurement solutions (procurement) and SAP Ariba Strategic Sourcing solutions (sourcing, contracts, and supplier management), so that they can share common master data such as users, commodity codes, and suppliers. If your site is not suite integrated, you must maintain common master data separately in each part. SAP Ariba recommends suite integration, and some functionality, such as the guided buying capability, requires it.

The part of the application suite that includes sourcing, contracts, and supplier management also includes analytical reporting and project functionality. Even if your solution does not include SAP Ariba Sourcing, SAP Ariba Contracts, or SAP Ariba Supplier Information and Performance Management (classic architecture), your SAP Ariba Procurement solutions include an invisible sourcing site for analytical reporting and, if you use it, guided buying. That invisible sourcing site also uses common master data, including suppliers. When you add SAP Ariba Supplier Risk to SAP Ariba Procurement solutions, supplier data flows through that invisible site.


Suite integrated (recommended)

The following diagram illustrates the flow of supplier data in a suite-integrated solution that includes SAP Ariba Procurement solutions and SAP Ariba Supplier Risk:

In this scenario, you add and maintain common suppliers, partitioned suppliers, supplier locations, and remittance locations in SAP Ariba Procurement solutions using the data import and export tasks in Ariba Administrator, the SAP Ariba integration toolkit, or the SAP Ariba Cloud Integration Gateway. Requisitions, purchase orders, service sheets, invoices, catalogs, and contracts all use this data.

Common data synchronization automatically synchronizes common supplier data to supplier organizations in the invisible sourcing site, where they are available in analytical reports and guided buying sourcing requests.

To add these suppliers to SAP Ariba Supplier Risk:

1. For the initial load of suppliers into SAP Ariba Supplier Risk, use manual migration [page 49] to migrate supplier organization data from the SAP Ariba Strategic Sourcing solutions site. Make sure that you are correctly migrating the desired ERP vendor IDs to the unified vendor model used by SAP Ariba Supplier Risk, especially if you might add or upgrade to SAP Ariba Supplier Lifecycle and Performance at any point.

2. Request that SAP Ariba enable the vendor and vendor contact push tasks.

In this scenario, you always maintain supplier data in your SAP Ariba Procurement solutions site. After the initial migration, as you add to and update this common and partitioned supplier data, common data synchronization continuously synchronizes it with supplier organizations in the integrated sourcing site. The vendor push tasks then push those changes to the unified vendor model that SAP Ariba Supplier Risk uses.

You can import some additional supplier-related data into the unified vendor model, such as preferred and qualified statuses. If your solution includes the guided buying capability, it uses those statuses.

8 PUBLIC



Not suite integrated (not recommended)

The following diagram illustrates the flow of supplier data in a solution that includes SAP Ariba Procurement solutions and SAP Ariba Supplier Risk and is not suite integrated:

In this scenario, you add and maintain common suppliers, partitioned suppliers, supplier locations, and remittance locations in SAP Ariba Procurement solutions using the data import and export tasks in Ariba Administrator, the SAP Ariba integration toolkit, or the SAP Ariba Cloud Integration Gateway. Requisitions, purchase orders, service sheets, invoices, catalogs, and contracts all use this data.

Since the sites are not suite integrated, there is no common data synchronization between common suppliers and supplier organizations. You must separately add and maintain supplier organization and supplier user data in the invisible sourcing site using the data import and export tasks in Ariba Administrator, the SAP Ariba integration toolkit, SOAP web service integration, or the SAP Ariba Cloud Integration Gateway.

.

To add these suppliers to SAP Ariba Supplier Risk, you use the same steps as in the suite-integrated environment:

1. For the initial load of suppliers into SAP Ariba Supplier Risk, use manual migration [page 49] to migrate supplier organization data from the SAP Ariba Strategic Sourcing solutions site. Make sure that you are correctly migrating the desired ERP vendor IDs to the unified vendor model used by SAP Ariba Supplier Risk, especially if you might add or upgrade to SAP Ariba Supplier Lifecycle and Performance at any point.

2. Request that SAP Ariba enable the vendor and vendor contact push tasks.

In this scenario, you always maintain common supplier data in your SAP Ariba Procurement solutions site for procurement activity and separately maintain corresponding supplier organizations in the invisible sourcing site for reporting and risk activity. After the initial migration, as you add to and update supplier organization data, the vendor push tasks pushes those changes to the unified vendor model that SAP Ariba Supplier Risk uses.

You can import some additional supplier-related data into the unified vendor model database, such as preferred and qualified statuses.


Adding SAP Ariba Procurement solutions to standalone SAP Ariba Supplier Risk If you are adding SAP Ariba Procurement solutions to a standalone SAP Ariba Supplier Risk solution, you must make sure that your partitioned supplier data is linked to existing supplier organization data used by SAP Ariba Supplier Risk.

In this scenario, your SAP Ariba Supplier Risk solution already includes an underlying, invisible sourcing site for master data management, analytical reporting, and, if you use them, engagement risk assessment projects in SAP Ariba Supplier Risk. With the standalone SAP Ariba Supplier Risk solution, you managed suppliers in the unified vendor model database using the Suppliers data import task in SM Administration, and those suppliers were automatically synchronized to supplier organizations in the SAP Ariba Strategic Sourcing solutions site for use in engagement risk assessment projects.

NoteWhen adding SAP Ariba Procurement solutions to an existing, standalone SAP Ariba Supplier Risk solution, SAP Ariba strongly recommends suite integration. If the SAP Ariba Procurement solutions include the guided buying capability, suite integration is required.

Assuming suite integration, to add suppliers to SAP Ariba Procurement solutions:

1. Common data synchronization creates corresponding, linked common suppliers in the new SAP Ariba Procurement solutions site for the existing supplier organizations used by SAP Ariba Supplier Risk.

2. Import partitioned suppliers with IDs that link them to those existing common suppliers.3. Request that SAP Ariba enable the vendor and vendor contact push tasks.

In this scenario, once SAP Ariba Procurement solutions are deployed, you always maintain supplier data there as common suppliers, partitioned suppliers, and supplier locations. After the initial load, as you add to and update common supplier data, common data synchronization continuously synchronizes it with supplier organizations in the integrated, invisible sourcing site. The vendor push tasks then push those changes to the unified vendor model database that SAP Ariba Supplier Risk uses.

You can import some additional supplier-related data into the unified vendor model database, such as preferred and qualified statuses. If your solution includes the guided buying capability, it uses those statuses. SAP Ariba Supplier Risk also uses those statuses for features such as risk exposure calculations and supplier section in engagement requests.

10 PUBLIC



Topics about importing risk-related site master data in Ariba Administrator

About importing site master data for supplier risk projects [page 11]

Best practices for creating and updating risk control definitions and engagement control mappings [page 12]

About site master data for control-based engagement risk assessments [page 14]

Defining engagement attribute mappings [page 16]

Defining engagement control mappings [page 21]

Defining risk controls [page 27]

Defining risk types [page 30]

Defining risk classifications [page 31]

Defining commodity risk classifications [page 33]

Defining risk probabilities [page 34]

Defining risk severities [page 36]

Defining residual risk mappings [page 37]

Defining modular questionnaire types [page 39]

Language values for defining translations [page 42]

About importing site master data for supplier risk projects

Site master data for supplier risk projects can define types, levels, mappings between project values, and project elements such as risk controls. You import site master data for supplier risk projects using the Ariba Administrator

Site Manager Data Import/Export task.

Supplier risk projects can use the following types of site master data:

This master data... Is used for defining...

Engagement attribute mappings [page 16] Mappings between engagement commodities, regions, and departments and questions in the engagement request inherent risk screening questionnaire in control-based engagement risk assessment projects.

Engagement control mappings [page 21] Mappings between answers to questions in the engagement request inherent screening questionnaire and risk controls in control-based engagement risk assessment projects.

Supplier risk data importTopics about importing risk-related site master data in Ariba Administrator PUBLIC 11

This master data... Is used for defining...

Risk controls [page 27] The risk controls used in control-based engagement risk assessment projects, including their required assessment questionnaires and the control decision maker.

Risk types [page 30] Types or categories of risk in control-based engagement risk assessment projects.

Modular supplier management questionnaire types [page 39] Types for the modular supplier management questionnaires in your site.

These are the types of site master data that are specific to supplier risk projects. The Common Data Import and Administration Guide describes all other site master data, as well as site administration, in detail.

NoteThe information on importing supplier data in the Ariba Common Data Import and Administration Guide, and the data import tasks in Ariba Administrator for importing and exporting supplier organizations and profiles, apply only to sites that do not use the unified vendor model. Sites that include SAP Ariba Supplier Risk use the unified vendor model. In sites that use the unified vendor model, there is a separate process for importing supplier-related data [page 43].

Related Information

About site master data for control-based engagement risk assessments [page 14]Topics about importing supplier-related data in SM Administration [page 43]

Best practices for creating and updating risk control definitions and engagement control mappingsWhen defining risk controls and creating engagement control mappings, the import file should have one row per unique definition or mapping. The best method for making changes depends on which attributes you need to change.

Here we discuss some best practices for creating and changing risk control definitions and engagement control mappings, and the impact on engagements that already exist.

When importing, you select a type of import operation, indicating what you want to do with each row of information in the file specified for the import.

Import operation Result

Load If the object doesn’t already exist: creates it.

If the object does exist: modifies it as described by that row of the import file.



Import operation Result

Create Creates new objects only.

If a row represents an object that already exists, it is not modified.

Update Only Modifies existing objects only.

If a row represents an object that does not already exist, it is not created.

Deactivate Deactivates objects. All the objects listed are deactivated.

NoteMaster data can’t be removed, only deactivated.

One possible method of changing imported data is to export the existing data, make your desired changes to the exported file, and then re-import using Load or Update Only. The detailed sections for Risk control definition [page 13] and Engagement control mappings [page 14] list for which attributes this “export/edit/upload” method is acceptable, and for which it is not recommended.

When export/edit/upload is not recommended, we suggest the “deactivate/create” method:

1. Create a file with rows describing the records you wish to stop using. Import it using the import operation = Deactivate.

2. Create a file with rows describing the records with which you wish to replace the deactivated records. Import it using the import operation = Load or Create.

When you import changes (additions, updates, deactivations) to your risk control definitions or engagement control mappings, there is no immediate impact on existing engagements that are past the point of selecting controls. The changed definitions become relevant the next time there is a check for required controls. For example, after the import a user might create and submit a periodic review. If a change to the engagement control mapping causes the engagement to have a newly required control, that is treated as a significant change to the engagement.

Risk control definition

For both creating and updating, each unique ControlID should be defined by exactly one row in the import file. If the control requires multiple assessments, for example:

● Do not create two rows for the same ControlID, each specifying one of the assessments.● Instead, create one row for the ControlID and in the AssessmentIDs column, include a semicolon-separated

list of all assessments required for the control.

The export/edit/upload method of change is acceptable for the following columns: ContractClauseImpact, ControlDescription, ControlName, ControlOwner, ControlOwnerType, DecisionMaker, DecisionMakerType, RegulatorMandated, RiskType.

It is not recommended for: AssessmentIDs, ControlID, ControlType.


Engagement control mappings

A unique engagement control mapping is defined by a unique combination of CommodityCodes, ConditionAnswers, ConditionQuestions, Departments, InherentRiskScore, and Regions. For both creating and updating, each unique mapping should be defined by exactly one row in the import file.

ExampleThe table below shows a set of mapping values that requires more than one control ID.

Set of mapping values Control ID's required

CommodityCodes = IT services

Departments = IT

Regions = All

ConditionQuestions = Will the supplier have access to the corporate computer network?

ConditionAnswers = Yes

ITSecurityPolicy

SecurityIncidentAudit

● Do not create two rows for the same set of mapping values, each specifying one ControlID.● Instead, create one row with a semicolon-separated list of all Control ID’s that are required for this set of

mapping values.

The export/edit/upload method of change is acceptable for all columns except UniqueName.

About site master data for control-based engagement risk assessmentsYou import a set of site master data to define risk controls, the circumstances that trigger them, and their required risk assessments in the control-based engagement risk assessment process. A combination of several different data imports establishes these relationships.

Control-based engagement risk assessments use the following master data:



Master data Description

Engagement attribute mappings [page 16] Maps commodities, regions, and departments to specific questions in the engagement request inherent risk screening questionnaire. When a requester creates an engagement request and specifies a specific combination of commodities, regions, and departments in the first step (the filter questionnaire), the questions mapped to that combination automatically show in the second step (the inherent risk screening questionnaire). The mapped questions are all designed to trigger risk control requirements for the engagement.

Engagement control mappings [page 21] Maps the conditional trigger questions in the engagement request screening questionnaire to risk controls. When the requester specifies the mapped answer to one of those questions, the mapped risk control is automatically required for the engagement.

Risk control definitions [page 27] Defines the risk controls to use in control-based engagement risk assessments. The definition specifies the control name, owner, decision maker, type, and the assessment questionnaires required for the control.Risk type definitions

Defining risk types [page 30] Risk typeControl-based engagement risk assessments do not currently use risk types directly, but SAP Ariba recommends that you define risk types before you import risk control defini-tions.

Risk classifications [page 31] Defines the classifications or ratings used for various types of risk associated with control-based engagement risk assessment projects, including inherent and residual risk.

Commodity risk classifications [page 33] Maps risk classifications or ratings to specific commodity codes for commodity-based inherent risk.

Risk probabilities [page 34] Defines the levels of probability that users creating issue management projects can assign to those issues.

Risk severities [page 36] Defines the levels of severity that users creating issue management projects can assign to those issues.

Residual risk mappings [page 37] Maps each combination of issue severity and probability to a risk classification. This classification shows as the residual risk for the issue and its associated control-based engagement risk assessment project.

The following diagram describes how engagement attribute mapping, control mapping, and risk control definition data all combine to determine required controls and assessment questionnaires in control-based engagement risk assessment projects.


Related Information

Understanding the components of the control-based risk assessment processSetting up the business details questionnaire in the engagement requestSetting up the inherent risk screening questionnaire in the engagement request

Defining engagement attribute mappingsEngagement attribute mappings specify which commodities, regions, and departments in the engagement request filter questionnaire trigger the presence of conditional questions in the engagement request business details questionnaire and inherent risk screening questionnaire.

For example, you have a conditional question What is the estimated spend for this engagement? on the business details questionnaire and a conditional answer >=1000 added for the commodity, region, and department combination in the engagement attribute mappings. The requester selects the commodity, region, and department that triggers the conditional question for the commodity, region, and department combination in the engagement attribute mappings. If the requester's response is:

● Less than $1000, the inherent risk screening questions aren't triggered and there's no control for the engagement project if no other inherent risk screening questions are triggered and answered in a way that adds a control.

● Equal to or more than $1000, there isn't a control automatically but there's an inherent risk screening question. Depending on the answer to the question, there could be a control if they're configured.

If your company uses control-based engagement risk assessment projects, you must provide engagement control mappings.



https://help.sap.com/viewer/9f1416275035435eb8563fe6d3bf2640/cloud/en-US/14c76765eda04e1aa9a0cb6034cff71b.html

https://help.sap.com/viewer/9f1416275035435eb8563fe6d3bf2640/cloud/en-US/295196f92aaa4e3e843d59a5eeb9d2fe.html

https://help.sap.com/viewer/9f1416275035435eb8563fe6d3bf2640/cloud/en-US/bbc940627cd84c429a5399c65a95e515.html

You use the Import Engagement Attribute Mappings data import task to define attribute mappings. The task reads from the EngagementAttributeMapping.csv file, which includes the following fields:

Field Description Required?

CommodityCodes Specifies the commodities in the engagement request that trigger the filter question. Enter one or more commodity codes, separated by semicolons, in this field. The commodity codes you specify must be the codes used in your site's commodity master data.

Yes



ConditionAnswers Specifies the answers to conditional questions in the business details questionnaire that trigger the mapped attributes.

The conditional answers and questions allow you to override certain questions on the inherent risk screening questionnaire.

The conditional answers and questions can be used to override the category, region, and department mapping.

The answers you specify must be in the correct format for the question.

Condtional answers have a 1,024 character limit.

You can use integer, decimal, Boolean, multiple choice, and currency answer types.

Don't enter currency symbols in the conditional answer.

You can use the following syntactical elements in this field:

● Less than (<)● Less than or equal to (<=)● Greater than (>)● Greater than or equal to (>=)● A single ampersand (&)● A single bar (|)

Don't use the following syntactical elements in the actual answers to the questions as user selected or entered information even though they appear in the master data:

● Two ampersands (&&)● Two pipe characters (||)● Curly braces either single or both

({})● Tilde (~)

For example, { Yes && No } || { >50000 || <100000 } specifies

No




answers of Yes and No OR more than 50,000 OR less than 100,000.

ConditionQuestions Specifies the conditional questions in the business details questionnaire and the answers trigger the control.

The conditional answers and questions allow you to override certain questions on the inherent risk screening questionnaire.

The conditional answers and questions can be used to override the category, region, and department mapping.

Conditional questions have a 512 character limit.

You can use integer, decimal, Boolean, multiple choice, and currency question types.

You can use the following syntactical elements in this field:

● Less than (<)● Less than or equal to (<=)● Greater than (>)● Greater than or equal to (>=)● A single ampersand (&)● A single bar (|)

Don't use the following syntactical elements as user selected or entered information even though they appear in the master data:


({})● Tilde (~)

For example, { Question1 && Question2 } || {Question1 || Question2 } specifies question 1 and question 2 OR either question 1 OR question 2.

No



Departments Specifies the departments in the engagement request that trigger the filter question. Enter one or more department codes, separated by semicolons, in this field. The department codes you specify must be the codes used in your site's department master data.

Yes, if you want to trigger the mapped controls for engagement requests where the requester specifies commodities, regions, and departments in the business details questionnaire

If you leave this field blank, only engagement requests where the requester doesn't specify a commodity, region, and department in the business details questionnaire trigger the mapped controls.

Description A description of the attribute mapping. No

QuestionIds Specifies the IDs of the conditional questions in the engagement filter questionnaire that trigger a control requirement. The values you supply for each ID must be the value specified in its field mapping in the engagement request inherent risk screening questionnaire. Enter one or more question IDs, separated by semicolons, in this field.

Yes

Regions Specifies the regions in the engagement request that trigger the control. Enter one or more region codes, separated by semicolons, in this field. The region codes you specify must be the codes used in your site's region master data.

Yes

UniqueName Specifies a unique ID for the attribute mapping.

Yes

TipWhen a requester selects a commodity, region, or department in the engagement request filters questionnaire, SAP Ariba Supplier Risk matches to the mapped commodity, region, or department or, if there's no exact match, its parent node in the hierarchy. It doesn't match to any child nodes. For example, if you map Europe to a question, and the requester specifies France, there's a match for the region attribute. However, if the requester specifies Paris, there's no match. Therefore, in your engagement attribute mappings, it's useful to specify values at the lowest level of the commodity, region, or department hierarchy that is relevant to the question.

TipWhen the feature to automatically identify engagements that only require basic approval workflows (ARI-7636) is enabled, you can enable the Require only basic approval for engagement projects with no controls (Application.SR.Engagement.RequireOnlyBasicDueDiligenceWhenNoControls) parameter. The



ConditionAnswers and ConditionQuestions can be used to override the commodity, region, department mapping so they don't trigger the inherent risk screening questions mapped for this commodity, region, department combination. If all of the conditions are met, and no screening questions are triggered, the engagement request generally doesn't have controls associated with it, which qualifies it for the basic approval workflow. Engagement requests that use the basic approval workflow are completed after the request approval task for the engagement request is approved.

The following example shows a line of the EngagementAttributeMapping.csv file, as well as the mandatory header:

UTF-8 CommodityCodes,ConditionAnswers,ConditionQuestions,Departments,Description,QuestionIds,Regions,UniqueName93151608;80121602,>=15,EPAT02,INVESTMENTMGMT,,Applicable Regulations;Data Access,USA,DataRegulation

Defining engagement control mappingsEngagement control mappings specify how answers to the questions in the business details and inherent risk screening questionnaires in the engagement request trigger different risk control requirements for an engagement.

You can trigger risk control requirements based on the engagement commodities, regions, and departments and answers to conditional questions in the inherent risk screening questionnaire. For example, you might have a risk control called IT Security Policy. You can map that control to the IT services commodity category and your IT department for all regions and to a Yes answer to the conditional question Will the supplier have access to the corporate computer network?. When a requester specifies IT services for the IT department in the engagement request filters questionnaire, the engagement request inherent risk questionnaire displays this question. An answer of Yes then triggers the IT Security Policy control. You can also trigger risk control requirements based on the engagement inherent risk score, either alone or in combination with the engagement commodities, regions, and departments and answers to conditional questions in the inherent risk screening questionnaire.

If your company uses control-based engagement risk assessment projects, you must provide engagement control mappings.

You use the Import Engagement Control Mappings data import task to define control mappings types. The task reads from the EngagementControlMapping.csv file, which includes the following fields:



CommodityCodes Specifies the commodities in the engagement request that trigger the control. Enter one or more commodity codes, separated by semicolons, in this field. The commodity codes you specify must be the codes used in your site's commodity master data.

Yes, to trigger the mapped controls for engagement requests where the requester specifies commodities, regions, and departments in the business details questionnaire.

If you leave this field blank, only engagement requests where the requester does not specify a commodity, region, and department in the business details questionnaire trigger the mapped controls.

ConditionAnswers Specifies the answers that trigger the mapped control in conditional questions in the engagement filters questionnaire. The answers you specify must be in the correct format for the question.

Don't use the following syntactical elements in the actual answers to the questions as user selected or entered information even though they appear in the master data:


({})● Tilde (~)

For example, Yes && { No || $500,000 - $700,000 } specifies answers of Yes AND either No OR $500,000 - $700,000.

Yes, unless the mapping includes a value for InherentRiskScore, in which case ConditionAnswers and ConditionQuestions are optional.




ConditionQuestions Specifies the IDs of the conditional questions in the inherent risk questionnaire whose answers triggers the control.

The values you specify must be the IDs you define for the questions in supplier field mappings in the inherent risk screening questionnaire survey document.

Don't use the following syntactical elements in the supplier field mapping values as user selected or entered information even though they appear in the master data:


({})● Tilde (~)

For example, Question1 && { Question2 || Question3 } specifies Question 1 AND either Question 2 OR Question 3. The combined examples for ConditionAnswers and ConditionQuestions trigger a requirement for the mapped control or controls when the answer to Question 1 is Yes AND either the answer to Question 2 is No OR the answer to Question 3 is $500,000 - $700,000.

Yes, unless the mapping includes a value for InherentRiskScore, in which case ConditionAnswers and ConditionQuestions are optional.

ControlIds The unique identifiers of the controls to trigger with the specified answers to the conditional questions. Enter one or more control IDs, separated by semicolons, in this field. The values you supply must be the IDs of control defined in the ControlId field of your site's control definition master data [page 27].

Yes



Departments Specifies the departments in the engagement request that trigger the control. Enter one or more department codes, separated by semicolons, in this field. The department codes you specify must be the codes used in your site's department master data.



Description A description of the control mapping. No

InherentRiskScore Specifies a range of numerical inherent risk scores in the format {lowerLimit:upperLimit}; for example, a value of {50:80} maps the control to inherent risk scores from 50 to 80.

The range is inclusive, meaning that scores that match the lower limit and the upper limit, as well as all scores in between, all trigger the control. If there are overlaps in the ranges in different mappings, scores that match the overlapping value trigger all mapped controls. For example, if you map one control to {50:60} and another control to {60:70}, a score of 60 triggers both controls.

You can use a wildcard (*) to define a range with either no lower limit or no upper limit. For example, if you map a control to {80:*}, scores of 80 or above trigger the control, with no defined upper limit.

NoteYou can only use InherentRiskScore if you have set up scoring in the engagement request inherent risk screening questionnaire.

No, unless the mapping does not include values for ConditionAnswers and ConditionQuestions, in which case InherentRiskScore is required.




Regions Specifies the regions in the engagement request that trigger the control. Enter one or more region codes, separated by semicolons, in this field. The region codes you specify must be the codes used in your site's region master data.



UniqueName Specifies a unique ID for the control mapping.

Yes

The requirements for values in the CommodityCodes, Departments, Regions, ConditionAnswers, ConditionQuestions, and InherentRiskScore fields are interdependent. You can trigger control requirements based on any of the following mapping combinations:

Mapping Combination Required fields

Inherent risk score only

NoteThis mapping only triggers controls if the requester does not select commodities, regions, and departments in the engagement request business details questionnaire

InherentRiskScore

Engagement commodities, regions, and departments and the inherent risk score

● CommodityCodes● Departments● Regions● InherentRiskScore

Engagement commodities, regions, and departments and answers to conditional questions in the inherent risk screening questionnaire

● CommodityCodes● Departments● Regions● ConditionalAnswers● ConditionalQuestions

Engagement commodities, regions, and departments; answers to conditional questions in the inherent risk screening questionnaire; and inherent risk score

● CommodityCodes● Departments● Regions● ConditionalAnswers● ConditionalQuestions● InherentRiskScore


The system triggers mapped controls as follows:

● If the requester selects values for commodity, region, and department in the engagement request business details questionnaire, the system identifies the mappings that match the selected values. The system then evaluates each of those mappings to see if the engagement request matches the conditional question answer or inherent risk score range value (or both) specified in the mapping, and triggers those controls that are mapped to all matching values.

● If the requester does not select values for commodity, region, and department in the engagement request business details questionnaire, the system identifies mappings that include inherent risk score range values but no conditional question and answer values and triggers those controls that match the engagement request inherent risk score.

TipWhen a requester selects a commodity, region, or department in the engagement request filters questionnaire, SAP Ariba Supplier Risk matches to the mapped commodity, region or department or, if there is no exact match, its parent node in the hierarchy. It does not match to any child nodes. For example, if you map Europe to a control, and the requester specifies France, there is a match for the region attribute. However, if the requester specifies Paris, there is no match. Therefore, in your engagement control mappings, it is useful to specify values at the lowest level of the commodity, region, or department hierarchy that is relevant to the question.

Note that you can associate commodities, regions, and departments with controls two different ways: in the engagement attribute mappings [page 16] that define which commodities, regions, and departments mandate the inclusion of control trigger questions in the inherent risk screening questionnaire, and in this file, where you define which controls are required not only by the answers to those questions, but again for the specific commodities, regions, and departments that the requester specifies in the engagement request filters questionnaire. You can associate the same commodity, region, and department combinations with the same controls in both mappings. Because of the way SAP Ariba Supplier Risk matches to the mapped value or its parent, but not its child, you can also use engagement control mapping data to specify different controls for the same answer to the same question depending on more detailed commodity, region, or department. For example, in the engagement attribute mappings, you can map software in all regions for the IT department to a question such as Is the software involved in this engagement maintained behind the corporate firewall or in the cloud?. That question therefore shows in the inherent risk screening questionnaire if the requester specifies any software commodity category, any region, and the IT department. But in the engagement control mappings, you can create multiple mappings for the cloud answer to that question, each for different to software categories such as database or HR software in specific regions, each to different controls. For example, you can map specific types cloud software for the IT departments in different regions to different relevant security or data policy controls.

The following example shows a line of the EngagementControlMapping.csv file, as well as the mandatory header:

UTF-8 CommodityCodes,ConditionAnswers,ConditionQuestions,ControlIds,Departments,Description,InherentRiskScore,Regions,UniqueName43232305;43232306;43232307,Yes,Q_ID_1,Critical_data_element,CLAIM,,,USA,Group data protection policy 432323,Yes,Q_ID_1,Critical_data_element,,,{*:50},,Group data protection policy



Defining risk controlsRisk controls specify the methods that your company uses to evaluate risk when considering an engagement with a supplier or third party. Each risk control has an owner, a decision maker, at least one required assessment questionnaire, and a type that determines how often it is reviewed.

For example, if an engagement involves supplier access to sensitive data, you can define a control called Critical Data, specify a custom user group called Critical Data Team as its decision maker, specify the Data Management Policy modular supplier management questionnaire as the required risk assessment, and assign it a type of Vendor so that decision makers do not need to re-review the Critical Data control in other engagements for the same supplier.

If your company uses control-based supplier engagement risk assessment projects, you must define risk controls. Some parts of a control's definition, such as its decision makers, type, and required assessments, are a fundamental aspect of your control-based risk assessment process. The names and descriptions of these controls show to users who create engagement requests and fill out control-based assessment questionnaires.

You use the Import Risk Control Definitions data import task to define questionnaire types. The task reads from the RiskControlDefinition.csv file, which includes the following fields:


AssessmentIds The required assessments for this control. The values you specify in this field are the exact names of the modular supplier management questionnaire project templates that defines the assessments. Enter one or more template names, separated by semicolons, in this field.

Yes

ContractClauseImpact A Boolean value specifying whether or not the control impacts one or more clauses in contracts with suppliers. Currently, this setting is for informational purposes only.

Yes

ControlDescription A description of the control, which shows in the user interface.

No, but recommended

ControlId A unique identifier for the control. Yes

ControlName The name of the control, which shows in the user interface.

Yes



ControlOwner The owner of the control. The value you specify in this field can be the username of an individual user, the name of a project group, or the unique name of a global user group, depending on the value you specify in the ControlOwnerType field.

The control owner does not currently have any role in the control-based engagement risk assessment process. This data is currently for informational purposes only.

Yes

ControlOwnerType Either User if you want to specify an individual user in the ControlOwner field, or Group if you want to specify a project or global user group as the control owner.

Yes




ControlType The type of the control, which determines how often it requires review in different control-based engagement risk assessments for the same supplier. Valid values are:

● Vendor, for a vendor-level control review that applies to a specific supplier. Once a decision maker marks a Vendor control as effective for a supplier, it does not require a new review in subsequent engagement risk assessment projects for the same supplier as long as it remains effective.

● Service, for service-level control review that applies to a specific combination of supplier and commodity category. Once a decision maker marks a Service control as effective for a supplier and commodity combination, it does not require re-review in subsequent engagement risk assessment projects for the same combination of as long as it remains effective. If a new engagement risk assessment project involves the same supplier but at least one different commodity, the control requires a new review.

● Engagement, for an engagement-level control review. Engagement controls require a new review in every individual engagement risk assessment project.

Yes

NoteBehavior concerning review of risk controls depends on your site's configuration for levels of risk control effectiveness: the value of parameter Expanded levels of risk control effectiveness (Application.SR.Engagement.ExpandedLevelsOfRiskControlEffectiveness), introduced with optional feature ARI-9766.

● If No, risk control decisions can be Effective or Ineffective, so an effective risk control is one for which the review decision is Effective.

● If Yes, there are five possible levels, ranging from Completely effective to Completely ineffective. In this case, an ineffective control is one with a review decision of Completely ineffective. A risk control is considered to be at least somewhat effective if the review decision is any of the other four values.

DecisionMaker The decision maker responsible for reviewing the control and rendering an effectiveness decision. The value you specify in this field can be the username of an individual user, the name of a project group, or the unique name of a global user group, depending on the value you specify in the DecisionMakerType field.

Yes



DecisionMakerType Either User if you want to specify an individual user in the DecisionMaker field, or Group if you want to specify a project or global user group as the control decision maker.

Yes

RegulatorMandated A Boolean value specifying whether or not the control is required by a regulatory body.

Yes

RiskType The risk type for the control. Although you can specify any value in this field without causing the risk definition data import to fail, recommends that you define your risk types [page 30] before you define your controls and use the UniqueName values from your risk type master data in this field.

Yes

The following example shows a sample line from RiskControlDefinition.csv as well as the mandatory header:

UTF-8 AssessmentIds,ContractClauseImpact,ControlDescription,ControlID,ControlName,ControlOwner,ControlOwnerType,ControlType,DecisionMaker,DecisionMakerType,RegulatorMandated,RiskTypeData Management Policy,No,All vendors who deal with critical data must have a data management policy,critical_data,Critical data,Category Manager,Group,Vendor,Critical Data Team,Group,No,itSecurity

Defining risk typesRisk types are your organization's categorizations of the kinds of risks that require assessment. Each risk control has a risk type.

For example, you might define a risk type for the European Union's General Data Protection Regulation (GDPR), since suppliers or third parties might have access to personally identifying information for employees or other individual. You can then define risk controls [page 27] for each of the rights defined by the GDPR.

You can import risk controls without defining risk types, but SAP Ariba recommends that you define risk types for all of your risk control data and import risk type data first.

You use the Import Risk Type Master Data data import task to define questionnaire types. The task reads from the RiskTypes.csv file, which includes the following fields:




Description A description of the risk type. No

Name A descriptive name for the risk type. Yes

UniqueName A unique identifier for the risk type. Yes

The following example shows a sample line from RiskTypes.csv as well as the mandatory header:

UTF-8 Description,Name,UniqueName ,European Union Data and Privacy Regulations,GDPR

Related Information

About site master data for control-based engagement risk assessments [page 14]Defining engagement attribute mappings [page 16]Defining engagement control mappings [page 21]Defining risk controls [page 27]

Defining risk classificationsRisk classifications are labels and descriptions that define how your organization categorizes different levels of risk in control-based engagement risk assessment projects . Each classification is associated with a number that reflects its risk.

For example, you can classify a risk of 1 as Low and a risk of 5 as Critical. The classifications you define show in the Inherent Risk (Commodity) and Residual Risk fields in the Engagement Summary area of the engagement page. The Residual Risk field also shows in the Issue Details area of the issue page. The information in these fields provides guidance to approvers, control decision makers, and other stakeholders as they review a control-based engagement risk assessment project or an associated issue.

You can define up to 5 classifications. If you use text labels for their names, you must also define translations for those names in all of the languages used in your site.

Defining risk classifications

You use the Import Risk Classifications data import task to define risk classifications. The task reads from the RiskClassification.csv file, which includes the following fields:



Description A description of the risk classification. No

Name The name of the risk classification. This name shows in the Inherent Risk (Commodity) and Residual Risk fields in the Engagement Summary area of the engagement page.

Yes

UniqueName The unique ID of the risk classification. This value must be a number between 1 and 5, with 1 as the lowest risk classifica-tion and 5 as the highest. You specify this ID in the Risk field when defining risk classifications for specific commodities [page 33].

Yes

The following example shows lines of the RiskClassification.csv file, as well as the mandatory header:

Description,Name,UniqueName Critical risk,Critical,5Severe risk,Severe,4High risk,High,3Moderate risk,Medium,2 Low risk,Low,1

Defining translations for risk classifications

You use the Import Translations for Risk Classifications data import task to define translations for the risk categories you defined in RiskClassification.csv. The task reads from a CSV file that includes the following fields:


UniqueName The unique ID of the risk classification defined inRiskClassification.csv.

Yes

Name The translation for the name of the risk classification.

Yes

Description The translation for the description of the risk classification.

No

Language A valid value for the translation language Yes

The following example shows a line from a CSV file for risk classification translations, as well as the mandatory header

UniqueName,Name,Description,Language3,Hoch,Hohes Risiko,German



Related Information

Defining commodity risk classifications [page 33]

Defining commodity risk classificationsCommodity risk classifications assign risk classifications to specific commodities in control-based engagement risk assessment projects. They identify the level of inherent risk for an engagement based on how critical its commodities and services are to your organization's operations.

For example, you might want to classify network security services as high risk because they are critical to your organization's operations and because they always involve granting supplier or third-party employees access to your organization's computer networks.

If an engagement involves multiple commodities, the one with the highest risk classification determines the commodity-based inherent risk of the engagement.

For inherent risk, commodity risk classification maps the commodities that a requester selects when creating an engagement request to risk classifications. A separate risk classification data file defines the risk classifications themselves and their labels in the user interface.

You use the Import Commodity Risk Classification data import task to define scoring band types. The task reads from the CommodityRiskClassification.csv file, which includes the following fields:


Name Specifies a descriptive name for risk classification for the commodity code.

Yes

UniqueName Specifies the ID of the commodity code to associate with a risk classification. The commodity code you specify must be a code used in your site's commodity master data. This field does not support multiple values.

Yes

Risk Specifies the unique ID of the risk classification using the value in the UniqueName field of your site's risk classification master data [page 31], which is a number between 1 and 5.

Yes

The following example shows lines of the CommodityRiskClassification.csv file, as well as the mandatory header:

Name,UniqueName,Risk 43232305,43232305,4 53,53,1

TipControl-based engagement risk assessment projects can also have an inherent risk rating based on scoring the answers to the inherent risk screening questionnaire in the engagement request. That risk rating shows in the


Inherent Risk field in the Engagement Summary area of the engagement page. If you have defined commodity risk classifications in your site, the commodity-based rating shows in the Inherent Risk (Commodity) field in the Engagement Summary, and its corresponding numerical value is stored in the Inherent Risk Score (Commodity) project field. Although you can set up both types of inherent risk ratings for your control-based engagement risk assessment projects, it is possible for the same project to show different and even conflicting ratings in the Inherent Risk and Inherent Risk (Commodity) fields. Choosing only one method of rating the inherent risk for an engagement provides clearer guidance to engagement approvers and other stakeholders.

Related Information

Defining risk classifications [page 31]About Inherent Risk (Commodity) for control-based engagement risk assessment projects

Defining risk probabilities

Risk probabilities are indicators of how likely an issue is to actually occur on a scale from low to high. Users managing issues in control-based engagement risk assessment projects assign those issues a probability.

For example, you can define a scale with a low end of Remote and a high end of Very Likely, with values in between such as Unlikely, Possible, and Likely.

The issue form in issue management projects includes a question about probability, and risk probability data defines the possible answers to that question. The combination of probability and severity [page 36] for an issue then determines its residual risk level based on residual risk mapping master data [page 37].

You can define any number of probabilities, but keeping the number limited helps you to create a scale with easy-to-understand contrasts between levels so that users have a clear choice when they set the probability of an issue. If you use text labels for their names, you must also define translations for those names in all of the languages used in your site.

Defining risk probabilities

You use the Import Risk Probabilities data import task to define risk probabilities. The task reads from the RiskProbability.csv file, which includes the following fields:


Description A description of the risk probability. No



https://help.sap.com/viewer/948547c2cb5f4b0183ab94c7bd62be5f/cloud/en-US/01f1d22745854909b8d66d567540c7c8.html


Name The name of the risk probability. In the issue management project template, the issue survey document includes a mapped question about issue probability with available answers defined by your site's issue probability master data, and the menu that users see when answering that question shows the probability names defined in this field.

Yes

UniqueName The unique ID of the issue probability. You specify this ID in the RiskProbability field when mapping issue severities and probabilities to residual risk levels [page 37].

Yes

The following example shows lines of the RiskSeverity.csv file, as well as the mandatory header:

Description,Name,UniqueName The probability of this issue is remote,Remote,probability1The probability of this issue is unlikely,Unlikely,probability2 The probability of this issue is possible,Possible,probability3

Defining translations for risk probabilities

You use the Import Translations for Risk Probabilities data import task to define translations for the risk probabilities you defined in RiskSeverity.csv. The task reads from a CSV file that includes the following fields:


UniqueName The unique ID of the risk probability defined inRiskProbability.csv.

Yes

Name The translation for the name of the risk probability.

Yes

Description The translation for the description of the risk probability.


The following example shows a line from a CSV file for risk probability translations, as well as the mandatory header:

UniqueName,Name,Description,Languageprobability3,Denkbar,Die Wahrscheinlichkeit dieser Frage ist denkbar,German

Related Information

Defining risk classifications [page 31]


Defining risk severities [page 36]Defining residual risk mappings [page 37]

Defining risk severitiesRisk severities are indicators of how serious or critical an issue is on a scale from low to high. Users managing issues in control-based engagement risk assessment projects assign those issues a severity.

For example, you can define a scale with a low end of Minor and a high end of Acute, with values in between such as Low, Medium, High, and Severe.

The issue form in issue management projects includes a question about severity, and risk severity data defines the possible answers to that question. The combination of severity and probability [page 34] for an issue then determines its residual risk level based on residual risk mapping master data [page 37].

You can define any number of severities, but keeping the number limited helps you to create a scale with easy-to-understand contrasts between levels so that users have a clear choice when they set the severity of an issue. If you use text labels for their names, you must also define translations for those names in all of the languages used in your site.

Defining risk severities

You use the Import Risk Severities data import task to define risk severities. The task reads from the RiskSeverity.csv file, which includes the following fields:


Description A description of the risk severity. No

Name The name of the risk severity. In the issue management project template, the issue survey document includes a mapped question about issue severity with available answers defined by your site's issue severity master data, and the menu that users see when answering that question shows the severity names defined in this field.

Yes

UniqueName The unique ID of the issue severity. You specify this ID in the RiskSeverity field when mapping issue severities and probabilities to residual risk levels [page 37].

Yes

The following example shows lines of the RiskSeverity.csv file, as well as the mandatory header:

Description,Name,UniqueName The issue impact is acute,Acute,severity6The issue impact is severe,Severe,severity5



The issue impact is minimal,Minimal,severity1

Defining translations for risk severities

You use the Import Translations for Risk Severities data import task to define translations for the risk severities you defined in RiskSeverity.csv. The task reads from a CSV file that includes the following fields:


UniqueName The unique ID of the risk severity defined inRiskSeverity.csv.

Yes

Name The translation for the name of the risk severity.

Yes

Description The translation for the description of the risk severity.

No


The following example shows a line from a CSV file for risk severity translations, as well as the mandatory header

UniqueName,Name,Description,Languageseverity1,Unbedeutend,Die Auswirkung der Frage ist unbedeutend,German

Related Information

Defining risk classifications [page 31]Defining risk probabilities [page 34]Defining residual risk mappings [page 37]

Defining residual risk mappings

Residual risk mappings assign a risk classification to each possible combination of probability and severity. Users managing issues in control-based engagement risk assessment projects assign those issues a probability and a severity, and the combination determines its residual risk.

For example, you can assign a risk classification of 1 (the lowest classification) to an issue with a probability of Remote and a severity of Minimal, and a risk classification of 5 (the highest classification) to an issue with a


probability of Very Likely and a severity of Acute. The following diagram illustrates an example of residual risk mappings:

Residual risk mappings use the classifications defined in your site's risk classification master data [page 31]. The classification name shows in the Residual Risk field in the Issue details area of the issue page and in the Engagement Summary area of of the engagement page.

You use the Import Residual Risk Mappings data import task to define residual risk mappings. The task reads from the ResidualRiskMapping.csv file, which includes the following fields:


RiskClassification The risk classification to associate with the specified severity and probability as defined in the UniqueName field of your site's risk classification master data [page 31].

Yes

RiskProbability The risk probability to associate with the classification as defined in the UniqueName field of your site's risk probability master data [page 34].

Yes

RiskSeverity The risk severity to associate with the classifications as defined in the UniqueName field of your site's risk severity master data [page 36].

Yes

UniqueName A unique ID for the mapping. Yes



The following example shows lines of the ResidualRiskMapping.csv file, as well as the mandatory header:

RiskClassification,RiskProbability,RiskSeverity,UniqueName 1,probability1,severity1,residualrisk11,probability2,severity1,residualrisk21,probability1,severity2,residualrisk31,probability2,severity2,residualrisk41,probability3,severity1,residualrisk51,probability4,severity1,residualrisk61,probability5,severity1,residualrisk72,probability1,severity3,residualrisk82,probability2,severity3,residualrisk92,probability3,severity2,residualrisk102,probability4,severity2,residualrisk112,probability5,severity2,residualrisk12

Related Information

Defining risk classifications [page 31]Defining risk probabilities [page 34]Defining risk severities [page 36]

Defining modular questionnaire typesQuestionnaire types specify the different categories or areas into which your company's modular questionnaires are divided, usually based on their purpose. Each modular questionnaire template has a type that determines its use.

For example, your company might define questionnaire types such as Compliance, Finance, Quality, Certifications, and so on. Based on your site's modular template configurations, category or supplier managers can send different modular questionnaires based on their questionnaire type as well as the commodities, regions, and departments applicable to a specific lifecycle process.

If your company uses modular questionnaires, you must define their types. If the types you use are text labels, you must also define translations for each language you use in your site.

Defining the questionnaire types

You use the Import Questionnaire Types data import task to define questionnaire types. The task reads from the SMQuestionnaireType.csv file, which includes the following fields:


Description A description of the questionnaire type. No



EvaluationType Specifies whether or not the modular questionnaire uses scoring using one of the following values:

● Graded, meaning that the questionnaire is evaluated based on scores and scoring band ranges configured in the modular questionnaire project template, which generate a score and a band indicator for each questionnaire based on respondent answers. In the modular questionnaire project template, if a template creator chooses a questionnaire type with the Graded evaluation type, they see Band Score Range settings where they can configure the range of scores associated with each scoring band in the questionnaire.

● NonGraded, meaning that the questionnaire is evaluated based on subjective judgment of respondent answers. In modular questionnaire project templates, if a template creator chooses a questionnaire type with the NonGraded evaluation type, they can't configure band score ranges.

Blank values are considered NonGraded.

Note that the value you specify in this field simply determines whether or not questionnaires of a given type use grading for evaluation. For each individual modular questionnaire project template with a Graded evaluation type, the actual scoring, the type of scoring bands, and the range values for those bands are defined in the individual template.

No

Name The name of the questionnaire type. This name appears in the Questionnaire Type dropdown menu in modular questionnaire templates.

Yes




UniqueName The unique ID of the questionnaire type.

If your site includes SAP Ariba Supplier Risk control-based engagement risk assessment projects and you plan to use an engagement risk assessment process with only internal assessments for engagements with no specified supplier, you must define a questionnaire type with a UniqueName of SR Engagement Questionnaire Type, using this exact text. This requirement is only applicable if the ability to submit an engagement request with no supplier selected is enabled in your site.

Yes

The following example shows lines of the SMQuestionnaireType.csv file, as well as the mandatory header:

UTF-8 Description,EvaluationType,Name,UniqueNameHealth and safety requirements,Graded,Occupational Health and Safety Requirements,OHSR Certifications,NonGraded,Certifications,CERT

Defining translations for questionnaire types

You use theImport Translations for Questionnaire Types data import task to define translations for the questionnaire types you defined in SMQuestionnaireType.csv. The task reads from a CSV file that includes the following fields:


Name The translation for the name of the questionnaire type.

Yes

UniqueName The unique ID of the questionnaire type as defined in SMQuestionnaireType.csv.

Yes

Language A valid value for the translation language. Yes

The following example shows lines from a CSV file for questionnaire type translations, as well as the mandatory header:

UTF-8 Name,UniqueName,LanguageRequisitos de Salud y Seguridad Ocupacional,OHSR,Spanish


Arbeitsschutzanforderungen,OSHR,German

Language values for defining translationsThe following are valid values for the Language field in CSV files that define translations for supplier management master data:

● BrazilianPortuguese● Bulgarian● Croatian● Czech● Danish● Dutch● English● Finnish● French● German● Greek● Hungarian● Italian● Japanese● Korean● Norwegian● Polish● Romanian● Russian● SimplifiedChinese● Spanish● Swedish● Thai● TraditionalChinese● Turkish



Topics about importing supplier-related data in SM Administration

About importing supplier-related data [page 43]

How to import supplier data [page 45]

Importing suppliers from sourcing (manual supplier migration) [page 49]

How imported supplier data affects risk corporate enrichment [page 55]

Supplier data file format [page 56]

Supplier contact data file format [page 61]

Defining supplier qualifications for control-based engagement risk assessment projects [page 64]

Preferred supplier data file format [page 69]

User matrix (buyer category assignment) data file format [page 73]

Supplier risk data import file format [page 77]

Importing status data for assessments and risk controls [page 79]

About importing supplier-related dataSupplier-related data defines the suppliers and supplier contacts in your site as well as their characteristics, such as qualified or preferred status, and risk data. You import supplier-related data using the Data import or export task in SM Administration.

SAP Ariba Supplier Risk uses the following supplier-related data:

This supplier data... Defines...

Supplier data [page 56] The suppliers in your site.

If you have an existing SAP Ariba solution that does not include SAP Ariba Supplier Lifecycle and Performance, see Supplier risk data import.

If your SAP Ariba solution includes SAP Ariba Supplier Lifecycle and Performance, it shares a supplier database with SAP Ariba Supplier Risk and you do not have to import suppliers separately.

Otherwise, you import this CSV file containing your supplier data to define the suppliers in your SAP Ariba Supplier Risk solution.

Supplier contact data [page 61] The contacts for your suppliers.

Supplier risk data importTopics about importing supplier-related data in SM Administration PUBLIC 43

This supplier data... Defines...

Supplier qualification data [page 64] Qualification statuses for your suppliers.

Control-based engagement risk assessment projects can optionally use qualified status to recommend suppliers during the supplier selection step of the engagement request. If your solution includes SAP Ariba Supplier Lifecycle and Performance, the qualification statuses designated as part of the lifecycle process drive recommendations in the engagement request. If your solution does not include SAP Ariba Supplier Lifecycle and Performance, you can import qualification supplier data using a supplier qualification CSV file.

Preferred supplier data [page 69] Preferred statuses for your suppliers.

SAP Ariba Supplier Risk can optionally use preferred supplier status as part of its risk exposure calculations. If your solution includes SAP Ariba Supplier Lifecycle and Performance, the preferred status levels designated as part of the lifecycle process are included in risk exposure calculation. If your solution does not include SAP Ariba Supplier Lifecycle and Performance, you can import preferred supplier data for use in risk exposure calculations using a preferred supplier CSV file.

Buyer category assignment (user matrix) data [page 73] User assignments to project or global user groups for specific combinations of commodity, region, and department.

Supplier risk data [page 77] Risk-related information such as spend and relationship type for your suppliers, as well as data for custom fields and risk exposures from external systems.How to import supplier data [page 45]

You can download samples of supplier data CSV files from the Data import or export area of SM Administration. On the dashboard, click Manage SM Administration to access this area.

NoteThe sample files you download include a column for supplier name, which is included in exported data for reference only. Do not include it in the data files you import. The exceptions to this rule are the name1 through name4 columns in the file you import using the Suppliers data import task. Those columns must be included in the imported file.

Related Information




How to import supplier data

Importing supplier-related data makes it available for supplier management, risk, and procurement activities.

Prerequisites

You must be a member of the SM ERP Admin, SM Ops Admin, Supplier Risk Manager, or Customer Administrator group to import supplier data in SM Administration.

NoteFor customers who use guided buying, you must belong to both the Supplier/Customer Manager and SM Ops Admin groups.

If you aren't importing suppliers for guided buying and your site includes existing SAP Ariba solutions with supplier data, you must first obtain that data before importing it.

The suppliers referenced by supplier data files, such as supplier contacts and supplier factory data, must already exist in the database before you import the files, either as a result of importing suppliers first or because they were created manually in the user interface. The exception to this rule is for supplier qualification data and preferred supplier list data, which offer an option to create the suppliers referenced in the file if they don't already exist. However, if you're importing supplier data in SAP Ariba Supplier Management solutions, the data in those files is limited and importing supplier data first is recommended .

Context

You import all supplier data for suppliers exported from SAP Ariba cloud solutions in CSV files. There's no restriction on file naming. Supplier data import supports the following encoding types for CSV files:

● UTF-8● US ASCII● ISO-8859-1● IUTF-16BE● UTF-16LE● UTF-16

Unless otherwise specified, all supplier data imports add new records and update existing records. For example, if you import supplier data with a new ERP vendor ID, the import operation adds the new supplier record to the database. If you import supplier data with an existing ERP vendor ID and source system, but with a change to some other data such as a different address, the import operation updates the existing supplier record with the new address. If a data file contains an existing record with no changes, the import operation ignores that record.


Procedure

1. From the dashboard, navigate to SM Administration. Available paths depend on the groups to which your user belongs.○ In sites that include SM Administration, members of the SM Ops Administrator, SM ERP Admin, or

Customer Administrator group can choose Manage SM Administration .○ Members of the Supplier Risk Manager group can access SM Administration from the SAP Ariba

Supplier Risk dashboard: choose the settings icon ( ), then choose Import data Link to SM admin .

2. Choose Data import or export.3. On the Import tab, choose the type of data you want to import from the File type dropdown menu. The data

imports that are available depend on your solutions and which optional features are available, and can include:

This data type... Imports...

Suppliers Suppliers from outside SAP Ariba in a CSV file.

Supplier from Sourcing Suppliers exported from SAP Ariba cloud solutions in SupplierOrganizationExport.zip. Only import the SupplierOrganizationExport.zip file using this task. Don't import the CSV files it contains individually.

CautionOnly use this data import task to migrate existing supplier organizations from another SAP Ariba solution. There's important information that you must be aware of about how to migrate suppliers with the correct ERP vendor IDs and address state information before you use this task. If you're:○ Adding suppliers from an existing SAP Ariba solu

tion to SAP Ariba Supplier Risk without SAP Ariba Supplier Lifecycle and Performance or SAP Ariba Supplier Information and Performance Management (new architecture), see the topics on migrating supplier organizations to the unified vendor model in the setup guide.

○ Migrating suppliers and supplier profiles from an existing SAP Ariba solution to SAP Ariba Supplier Lifecycle and Performance or SAP Ariba Supplier Information and Performance Management (new architecture), see Migrating suppliers to the unified vendor model. That guide also contains important information about the order in which to perform various migration steps, including this data import, as well as other migration requirements.



https://help.sap.com/viewer/e2f3b8d54c144869bb1377bf822bf836/cloud/en-US/c7721e54836541fa9c8ee433a765a44e.html

https://help.sap.com/viewer/e2f3b8d54c144869bb1377bf822bf836/cloud/en-US/c7721e54836541fa9c8ee433a765a44e.html

This data type... Imports...

Supplier contacts Supplier contacts in a CSV file. You must have an active subscription to SAP Ariba Supplier Lifecycle and Performance to import supplier contacts.

Supplier qualification data A list of supplier qualifications by commodity and code and region in a CSV file.

Preferred supplier list data A list of preferred suppliers by commodity code and region in a CSV file.

Supplier factory data Information about supplier factories in a CSV file. This data is for information only.

Purchasing organization data The purchasing organizations associated with the supplier, including defaults, in a CSV file. This data is only used in the guided buying capability in SAP Ariba Buying solutions.

Custom display names Custom labels for registration and qualification statuses in a CSV file.

Primary supplier manager The names of primary internal contacts for suppliers in a CSV file.

User matrix User assignments to commodities, regions, and supplier management project groups in a CSV file.

Supplier Risk Data Risk data for suppliers in SAP Ariba Supplier Risk.

Supplier Process Projects Import A list of process statuses by commodity, region, and department in a CSV file. This data import is only available in SAP Ariba Supplier Lifecycle and Performance sites where the flexible framework for qualification and other lifecycle processes feature (SM-16798) is enabled.

Process project automatic status assignment rules Rules that define the statuses to which process projects are automatically set when their included modular questionnaires meet the specified status conditions. This data import is only available in SAP Ariba Supplier Lifecycle and Performance sites where the flexible framework for qualification and other lifecycle processes feature (SM-16798) is enabled.

4. (Optional) For supplier qualification data or preferred supplier list data, choose Create supplier if necessary to add any suppliers in the data that don't already exist to the database.

If you use this option, the preferred of qualified suppliers are created in the database with SM IDs but no names. To display them correctly in the user interface, import complete data for them using the Suppliers or Suppliers from sourcing data import option, specifying those SM IDs in the supplier data files. Importing the suppliers first, rather than creating them from the preferred or qualified supplier data, is recommended.

5. Choose Choose File and navigate to the file you want to import.


6. Choose the encoding that the data file you want to import uses from the Encoding Type dropdown menu.7. Choose Import.

Next Steps

Choose the Import summary tab to view the status of your data import. If your import contains any errors, choose the View link to the right of the number of errors in the import to see or download error messages.

You can cancel an data import by choose Cancel Job.

TipIf you're using Microsoft Internet Explorer and you don't see any information in the Status column of the Import Summary tab, adjust the document mode compatibility setting of your browser. To do so, right-click anywhere in the browser window and choose Inspect element to display the inspection pane at the bottom of the browser window. Choose the Emulation tab, choose 10 from the Document Mode dropdown menu, and close the inspection pane.

Related Information

How to obtain existing SAP Ariba supplier dataSupplier data file format [page 56]Supplier contact data file format [page 61]Supplier qualification data file format [page 64]Preferred supplier data file format [page 69]Supplier factory data file formatPurchasing organization data file formatCustom display name data file formatPrimary supplier manager data file formatUser matrix (buyer category assignment) data file format [page 73]Supplier risk data import file format [page 77]Topics about configuring risk exposureHow to manually migrate supplier organization data [page 49]Supplier Process Projects Import file formatProcess project automatic status assignment rules data file format



https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/90f2f3a97aeb4817b8a20fe02f1acea6.html

https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/7a8415ddbb4f41c4aeab747acbd1f2dd.html

https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/62d1235ea753494fb82a006af33ab7fc.html

https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/fde050cf2bb342baa1b47a8b1606c8cd.html

https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/f265792f8eae45198e396656363481d8.html

https://help.sap.com/viewer/9f1416275035435eb8563fe6d3bf2640/cloud/en-US/b09cfb715a3645228558c1b1ef9dab7e.html

https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/11b9c87d28f442c0808be9ecd6bceeb5.html

https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/0b89d9806d2b409db8fc0061fd00eb99.html

Importing suppliers from sourcing (manual supplier migration)If you are adding SAP Ariba Supplier Risk to another SAP Ariba solution package, you migrate your existing suppliers to the SAP Ariba Supplier Risk database using the Suppliers from Sourcing data import task rather than importing them directly.

This manual migration is an initial step that adds existing SAP Ariba suppliers to the supplier database used by SAP Ariba Supplier Risk.

How to manually migrate supplier organization data [page 49]

Options for migrating ERP vendor IDs to the unified vendor model [page 51]

Supplier organization-to-unified-vendor field mappings [page 53]

How to manually migrate supplier organization data

Manually migrating supplier data involves exporting the SupplierOrganizationExport.zip file from Ariba Administrator and importing it into SM Administration.

Prerequisites

To export data from Ariba Administrator, you must be a member of the Customer Administrator group. To import data in SM Administration, you must be a member of the SM Ops Administrator group. SAP Ariba customer support administrators can also perform both tasks.

Understand your options for migrating ERP vendor IDs in your existing supplier data to the unified vendor model [page 51]. Two settings in the SupplierOrganizationExport.zip import operation affect the migration of ERP vendor ID.

Understand your options for migrating CorporateAddress.PostalAddress.State data [page 53]. A setting in the SupplierOrganizationExport.zip affects the migration of supplier address states, regions, or provinces.

Context

The SupplierOrganizationExport.zip file contains two CSV files: SupplierOrganization_Export.csv, which contains supplier data, and SupplierOrganizationOranizationIDPart_Export.csv, which contains organization ID data for suppliers.

SAP Ariba recommends that you divide the supplier organization export into batches to prevent performance problems. For reference, importing 10,000 suppliers in SM Administration takes approximately 45 minutes. Note that the file you import in SM Administration must be named SupplierOrganizationExport.zip.


If you make copies of the exported ZIP file to divide the data into batches, make sure to change each ZIP file name back to SupplierOrganizationExport.zip before importing it in SM Administration. The name of the file you import in SM Administration must be SupplierOrganizationExport.zip, and that ZIP file must contain a file called SupplierOrganization_Export.csv for supplier data and a file called SupplierOrganizationOranizationIDPart_Export.csv for organization ID data. Any change to the names of these files causes the import to fail. If you are using a Mac, zip and unzip these files using a terminal command line, not the folder utility; files zipped using the folder utility do not import successfully.

CautionDo not use Microsoft Excel to open or edit supplier data CSV files. Microsoft Excel treats number data as text and strips out leading 0s, which can cause suppliers to migrate with incorrect ERP vendor IDS, among other serious problems. Use a text editor that does not reformat data, such as Notepad or Notepad ++, to edit supplier data CSV files.

When you break up your supplier data into batches, be aware that you must keep the supplier data and the organization ID mappings for an individual supplier in the same import ZIP file. If a supplier has a valid entry in SupplierOrganization_Export.csv but their organization IDs are not included in the SupplierOrganizationOranizationIDPart_Export.csv file in the same import ZIP file, the supplier is migrated with either the System ID (if you use that option) or an ERP vendor ID generated by SAP Ariba Supplier Management solutions and beginning with "VDR" rather than the organization ID you plan to migrate. There is no opportunity to correct the ERP vendor ID after migration. On the other hand, any entry in SupplierOrganizationOranizationIDPart_Export.csv with a Parent.SystemID that does not match a SystemID in SupplierOrganization_Export.csv in the same import ZIP file is ignored, since the data in SupplierOrganization_Export.csv is required to migrate the supplier successfully.

Procedure

1. Export supplier organization data by performing the following steps:

a. On the dashboard, choose Manage Administration .

b. Choose Site Manager Data Import/Export .c. Click the Export tab.d. Perform a search for the data export task Export Supplier Organizations (CSV).e. Click Export.f. On the Specify an adapter source dropdown menu, choose All.g. Click OK.

2. Save the exported SupplierOrganizationExport.zip file to the location of your choice. Do not rename it.

3. Open the ZIP file, then open the CSV files in it, perform the following actions:

○ Delete the first line, which specifies UTF-8 encoding.○ Delete the suppliers you do not want to include in the first migration batch.○ Delete any customer organizations.○ Save your changes and re-zip the files.

4. Import the first batch of supplier organizations into the unified vendor model by performing the following steps:

a. On the dashboard, choose Manage SM Administration .



b. Click Data import and export.c. On the File type dropdown menu, choose Suppliers from sourcing.d. Click Choose File.e. Navigate to SupplierOrganizationExport.zip and select it.f. (Optional) To migrate organization IDs in one or more domains other than sap, psoft, or oracle to ERP

vendor ID, enter the domain names, separated by commas, in the Optional custom domain names field.g. (Optional) To migrate the supplier organizations' SystemIDs to ERP vendor ID if no matching sap, psoft,

oracle, or custom organization ID domain is found, check Consider Object Id as ERP Vendor Id.h. (Optional) If your supplier organization CorporateAddress.PostalAddress.State is longer than 2

characters, to include it in the migration, check Consider state as stateName.i. Click Import.

The Import Summary tab shows the status of your import.5. Repeat these steps to import all of your batches of supplier organizations.

Results

After a successful import, migrated suppliers are active in your site and are visible in search results.

Related Information

Supplier organization-to-unified-vendor field mappings [page 53]How to manually migrate supplier usersHow to manually map the supplier profile questionnaire to supplier registration questionnairesHow to check manual migration statusHow supplier migration to the unified vendor model worksStep 6: Topics about migrating your supplier data with auto migration tools

Options for migrating ERP vendor IDs to the unified vendor model

When you migrate supplier organizations to the unified vendor model, you can migrate either their SystemIDs or organization IDs from specific domains to the ERP vendor ID field. Otherwise, SAP Ariba Supplier Management solutions assigns migrated suppliers an ERP vendor ID with a "VDR" prefix.

ERP vendor ID is a required field for suppliers in the unified vendor model. When you migrate supplier organization data for ERP suppliers to the unified vendor model, it is important to populate the ERP vendor ID field with the value that is also used in your ERP system or systems, since there is currently no way of updating the ERP vendor ID in the unified vendor model after migration. There are several options for migrating ERP vendor IDs to the unified vendor model, depending on where you store those IDs in your supplier organizations and whether you use manual or auto migration tools. SAP Ariba Supplier Management solutions migrate organization IDs to the unified vendor model as follows:


https://help.sap.com/viewer/e2f3b8d54c144869bb1377bf822bf836/cloud/en-US/07027d2fd44840da95f6d7217496681d.html

https://help.sap.com/viewer/e2f3b8d54c144869bb1377bf822bf836/cloud/en-US/280349c49b954bf29e08a3ce92e48243.html

https://help.sap.com/viewer/e2f3b8d54c144869bb1377bf822bf836/cloud/en-US/aad43bc8a5154df788440c64ae7f01e1.html

https://help.sap.com/viewer/e2f3b8d54c144869bb1377bf822bf836/cloud/en-US/05ee8344bd394900bedcd3be91fc0081.html

https://help.sap.com/viewer/e2f3b8d54c144869bb1377bf822bf836/cloud/en-US/b691398b64c24afebaaed0b3b0e688bc.html

● Mandatory migration of organization IDs in the sap, oracle, or psoft domain:When you migrate supplier organizations to the new unified vendor model using either manual or auto migration tools, SAP Ariba Supplier Management solutions always look for organization IDs in the domains sap, oracle, or psoft and migrates their associated values to ERP vendor ID using the following order of prioritization:○ Organization IDs in the sap domain are always migrated to the ERP vendor ID if they are present.○ If there is no organization ID in the sap domain, but there is an organization ID the oracle domain, that ID

is migrated to the ERP vendor ID.○ If there is no organization ID in the sap domain, but there is an organization ID the psoft domain, that ID is

migrated to the ERP vendor ID.○ If there is no organization ID in the sap domain, but there are organization IDs in both the oracle and

psoft domains, the ID in the psoft domain is migrated to the ERP vendor ID.The domain name must be an exact match to the values specified here, including the use of all lowercase letters.

● Optional migration of organization IDs in custom domains: If you use one or more domains other than sap, oracle, or psoft to store ERP vendor IDs, you can specify those domain names as a comma-separated list in the Optional custom domain names field when importing SupplierOrganizationExport.zip. If the import does not encounter an organization ID in the domains sap, oracle, or psoft for a supplier, it migrates the value associated with the first matching custom domain you specify in the Optional custom domain names field as the ERP vendor ID. This option is only available for manual migration; it is not available for auto migration.

● Optional migration of SystemID to ERP vendor ID: You can use theConsider Object ID as ERP Vendor ID data import option to migrate the value in the supplier organization SystemID field to ERP vendor ID. The SystemID field is a field in supplier organization import and export files, including the SupplierOrganizations.zip file you use to migrate your supplier organization data. The SystemID value is also stored as an organization ID value in the buyersystemid domain. This option is only available for manual migration; it is not available for auto migration.If you created supplier organizations for your ERP suppliers via data import and specified ERP vendor IDs in the SystemID field, the Consider Object ID as ERP Vendor ID option allows you to easily migrate them to the unified vendor model. However, note that supplier organizations created manually in the user interface are automatically assigned an SAP Ariba-specific buyersystemid value that begins with ACM. In supplier organizations, this value can be updated manually in the user interface, but cannot be updated automatically via data import. If you use this data import option to migrate ERP vendor IDs, whatever value is associated with the buyersystemid domain will migrate as the supplier's ERP vendor ID.

● Automatic assignment of an SAP Ariba Supplier Management solutions-generated ERP vendor ID: If a migrating supplier does not have an organization ID in the sap, oracle, or psoft domain, and either it doesn't have an organization ID in one of the custom domains you specified or you did not specify any custom domains, and you did not use the option to migrate the SystemID, SAP Ariba Supplier Management solutions automatically assign it an ERP vendor ID that begins with "VDR" during migration. This assignment occurs in both manual and auto migration.

Keep this behavior in mind and make sure that the ERP suppliers you plan to migrate have the correct ERP values in the organization ID domain or SystemID field, depending on which migration tools and options you plan to use. For most organization IDs, you can update values either in the user interface or via data import. You can only update values in the buyersystemid domain, which is also the organization's SystemID, in the user interface.

TipBe aware that if you plan to use an existing SAP Ariba integration toolkit or SOAP web services configuration to integrate a limited number of fields in the unified vendor model with your ERP system after migration, only



organization IDs in the sap domain are synchronized to the unified vendor model with these integration methods. For updates to existing suppliers via these integration methods, the organization ID value in the sap domain must match the supplier's ERP vendor ID in the unified vendor model for updates to be successful. When creating new suppliers in the unified vendor model via these integration methods, only organization IDs in the sap domain are converted to ERP vendor IDs; if a supplier does not have an organization ID in the sap domain, SAP Ariba Supplier Management solutions assigns an ERP vendor ID that begins with "VDR.". Keep this requirement in mind when planning your migration and post-migration integration strategies.

Supplier organization-to-unified-vendor field mappings

Migrating supplier organizations automatically moves their data to specific fields in the unified vendor model.

The following table describes which fields in the unified vendor model the data in supplier organizations are added to.

User interface field

SupplierOrganization_Export.csv field Unified vendor model field

Preferred Language PreferredLanguage.UniqueName

vendor.vendorInfoExt.languageCode

Main Email Address CorporateEmailAddress N/A

ID SystemID For manual migration, depending on your settings when importing SupplierOrganizationExport.zip, ERP vendor ID can be populated from an organization ID [page 51] or the SystemID field, or is generated automatically.

For auto migration, ERP vendor ID can be populated from an an organization ID [page 51] field or generated automatically.

Minimum Annual Revenue AnnualRevenueMinimum.Amount N/A

Customer IsCustomer N/A

State of Incorporation StateOfIncorporation N/A

Main Phone CorporatePhone vendor.address.phone

Number of Employees (estimate) NumberOfEmployees N/A

Main Fax CorporateFax vendor.address.fax




Address Name CorporateAddress.UniqueName N/A

N/A AnnualRevenueMinimum.Currency.UniqueName

N/A

City in Corporate Address CorporateAddress.PostalAddress.City

vendor.address.city

Supplier IsSupplier N/A

State/Province/Region in Corporate Address

CorporateAddress.PostalAddress.State

vendor.address.state for data of two characters or less. The vendor.address.state state field has a maximum length of 2 characters.

If the data in CorporateAddress.PostalAddress.State is longer than 2 characters, it is not migrated unless you use manual migration and check the Consider state as stateName option. With this option, CorporateAddress.PostalAddress.State data of up to 6 characters is automatically migrated to vendor.address.stateName.

NoteThe vendor.address.state field shows in supplier profiles in the user interface. The vendor.address.stateName does not.

Maximum Revenue Amount AnnualRevenueMaximum.Amount N/A

Corporate URL CorporateURL vendor.address.url

N/A HasTradingRelationship N/A

Year Founded YearFounded N/A

Country/Region in Corporate Address CorporateAddress.PostalAddress.Country.UniqueName

vendor.address.countryCode

Organization Name Name vendor.vendorInfo.name1





N/A IsManaged N/A

Approved value in Approval Status field IsOrgApproved vendor.vendorInfo.approved with a value of TRUE if IsOrgApproved is 1 or 2 and FALSE otherwise

Type of Organization OrganizationType N/A

N/A HasSyncRelationship N/A

N/A PreferredCurrency.UniqueName

vendor.vendorInfoExt.preferredCurrencyUniqueName

N/A AnnualRevenueMaximum.Currency.UniqueName

N/A

Street in Corporate Address CorporateAddress.PostalAddress.Lines

vendor.address.line1

Postal Code in Corporate Address CorporateAddress.PostalAddress.PostalCode

vendor.address.postalCode

Related Information

Supplier user-to-supplier contact field mappingsHow supplier migration to the unified vendor model worksWho needs to migrate supplier data to the new vendor model and whyTopics about supplier data in the SAP Ariba landscape with the unified vendor modelTopics about migrating your suppliers to unified vendor model

How imported supplier data affects risk corporate enrichmentTo add enriched corporate information to supplier 360° profiles, SAP Ariba Supplier Risk uses specific data about the supplier from the supplier data import file.

To enrich the supplier's profile with country/region data, the countryCode field of the supplier data import file must contain a valid country/region code for the supplier. To enrich the supplier's profile with other corporate information, such as number of employees or year founded, the data import for the supplier must include data in the city, state, or countryCode field. If this data is not included, but the supplier does have a valid Dun &


https://help.sap.com/viewer/e2f3b8d54c144869bb1377bf822bf836/cloud/en-US/20b06e55972b43b58769ce0ac3887e23.html

https://help.sap.com/viewer/e2f3b8d54c144869bb1377bf822bf836/cloud/en-US/05ee8344bd394900bedcd3be91fc0081.html

https://help.sap.com/viewer/e2f3b8d54c144869bb1377bf822bf836/cloud/en-US/a031ae3ed82a4fc1be265ed1907f88a6.html

https://help.sap.com/viewer/e2f3b8d54c144869bb1377bf822bf836/cloud/en-US/2f86183f7d6e4144864070d09baad938.html

https://help.sap.com/viewer/e2f3b8d54c144869bb1377bf822bf836/cloud/en-US/f6f6042f35c74f528c87b355af79b9be.html

Bradstreet ID in the dunsId field, in some cases SAP Ariba Supplier Risk can extrapolate from that ID in order to add enriched corporate information to the supplier's profile.

Supplier data file format

Importing supplier data creates suppliers in the database.

You use the Suppliers data import task to import suppliers into your site. The task reads from a CSV file that contains the following fields:

Field Description Required? Maximum field length

erpVendorId The ID of the supplier in the integrated ERP system.

Yes 50

(SAP ERP maximum field length is 10)

smVendorId The ID that SAP Ariba assigns to the supplier. The value in this field must be an existing SM vendor ID.

If you import a supplier record with an existing smVendorId but a new erpVendorId value, the database updates the existing supplier record with the new erpVendorId. The new erpVendorId must be unique; it cannot match an existing supplier record. You can only update ERP vendor IDs for suppliers that are in Not Integrated or In Process integration status or whose initial integration is in an error state.

Yes, to update the erpVendorId. Otherwise no.

masterVendorId Not currently used. No 255

sourceSystem The system in which the supplier was created; for example, SM for SAP Ariba or SAP for SAP ERP.

Yes 255

name1 The primary name of the supplier.

Yes 125





name2 An alternate name for the supplier.

No 125


name3 A second alternate name for the supplier.

No 125


name4 A third alternate name for the supplier.

No 125


phone The supplier phone number. No 40

fax The supplier fax number. No 40

line1 The first line of the supplier address.

At least one of the following fields is required: line1, line2, line3, city, state, postalCode, or countryCode

125


line2 The second line of the supplier address.


255

line3 The third line of the supplier address.


255

postalCode The postal code of the supplier address.


10

poBox The post office box number of the supplier address.

No 10



city The city of the supplier address.


40

state The state or province of the supplier address.


6

stateName The state of the migrated supplier organization from the organization stateName field.

This field is included in supplier data exports for informational purposes, and is therefore also included in the supplier data sample file. However, it only includes data from migrated supplier organizations if the Suppliers from sourcing data import task uses the Consider State as State Nameoption. For details on this option, see Migrating supplier organizations to the unified vendor model.

This field's presence in supplier data imports is not required. If you re-import a previously exported file, do not edit or delete the values in this column.

No. This field is ignored in supplier data imports.




countryCode The two-character ISO country code of the country/region for the supplier address.

At least one of the following fields is required: line1, line2, line3, city, state, postalCode, or countryCode.

Either taxIdentificationNumberTypeCode or countryCode is required.

countryCode is required for country/region enrichment in SAP Ariba Supplier Risk solutions.

3 (minimum is 2)

taxIdentificationNumberTypeCode

A code that identifies the type of the tax identification number.

Either taxIdentificationNumberTypeCode or countryCode is required. If you specify partyTaxID, taxIdentificationNumberTypeCode is also required.

2

partyTaxID The supplier party tax ID. No 20

longPartyTaxID The long format of the supplier party tax ID.

No 60

dunsId The supplier Dun & Bradstreet D-U-N-S number.

No 11

active Whether the supplier described by the current row is active (TRUE) or inactive (FALSE). If this field is empty, the row is flagged as active.

No



s4OrgSystemId Used internally only. Migrated suppliers always include an s4OrgSystemId.

This field is included in supplier data exports for informational purposes, and is therefore also included in the supplier data sample file. However, it is only used internally by SAP Ariba. This field's presence in supplier data imports is not required. If you re-import a previously exported file, do not edit or delete the values in this column.

No

Unless otherwise indicated, the minimum length of required fields is 1. In sites integrated with SAP ERP, data sent to SAP ERP is truncated based on the SAP ERP maximum field length.

The following example shows lines of a supplier CSV file, as well as the mandatory header:

erpVendorId,masterVendorId,sourceSystem,name1,name2,name3,name4,phone,fax,line1,line2,line3,postalCode,poBox,city,state,stateName,countryCode,taxIdentificationNumberTypeCode,partyTaxID,longPartyTaxID,dunsId,active,s4OrgSystemId VDR100001,,SAP,ABC Company,,,,555-555-5555,555-555-5556,1234 Main Street,,,12345,,Anytown,CA,,USA,02,AB1234,ABCD12345678910,987654321,TRUE,,

NoteYou can use multiple rows to add or update multiple different tax IDs for different countryCode values for the same supplier. However, if you do so:

● One row must include both erpVendorId and smVendorId for the supplier. All other rows for the same supplier must include either erpVendorId or smVendorId, but not both, and those rows must all include the same type of ID.For example, if the import includes 10 rows of tax IDs for the same supplier, one row must include both erpVendorId and smVendorID values. The other 9 rows must all include erpVendorId, or they must all include smVendorId.

● If you are updating any existing country/region-specific tax IDs for a supplier, the import file must include rows for all existing values for that supplier whether or not those rows contain updates.

● It is possible to import a supplier record with empty tax fields if countryCode is included. However, if the import includes any tax data for a supplier, all rows for that supplier must contain required tax fields.

● The supplier data import does not support multiple-country taxes.

Failure to adhere to these rules can result in the creation of duplicate extended tax information for the supplier or import errors.



Related Information


Supplier contact data file format

Supplier contacts are the supplier employees with whom your company interacts, and the primary contact receives questionnaires by default.

To specify multiple contacts for the same supplier, add a unique row for each contact.

You use the Supplier Contacts data import task to add supplier contacts to suppliers. It reads from a CSV file that contains the following fields:


erpVendorId The ID of the supplier in the integrated ERP system.

Yes

supplierName The name of the supplier. Supplier contact data exports include this field for informational purposes, and it is therefore also included in the supplier contact sample data file. This field's presence in supplier contact data imports is not required. In imports, erpVendorId associates a contact with a supplier and supplierName is ignored.

No

sourceSystem The system in which the supplier was created; for example, SM for SAP Ariba or SAP for SAP ERP.

Yes

firstName The first name of the supplier contact. No

middleName The middle name of the supplier contact. No

lastName The last name of the supplier contact. No

countryCode The country/region code of the supplier contact's land line telephone number. SAP Ariba Supplier Management solutions automatically insert a plus sign (+) before the country/region code in user interface display.

No



telephone The supplier contact's land line telephone number.

No

mobileCountryCode The country/region code of the supplier contact's mobile telephone number. SAP Ariba Supplier Management solutions automatically insert a plus sign (+) before of the country/region code in user interface display

No

mobilePhone The supplier contact's mobile telephone number.

No

email The supplier contact's email address, which is the default username for supplier contacts created via data import (the supplier contact can edit their username on Ariba Network). You can create two different supplier contacts with same email addresses for the a supplier because the email addresses are not case-sensitive. For example: you can create [email protected] and Emai[email protected].

Yes

type The type of the supplier contact, which must match one of the types defined for your site.

No

locale The ISO code for the supplier contact's language.

No

title The supplier contact's title. No

categories The commodities for which the supplier contact is responsible.

NoteThis code must match the commodity master data loaded in your SAP Ariba Strategic Sourcing solutions site.

No




regions The regions for which the supplier contact is responsible.

NoteThis code must match the region master data loaded in your SAP Ariba Strategic Sourcing solutions site.

No

active A Boolean value that specifies whether the assignment described by the current row is active (TRUE) or deactivated (FALSE). If this field is empty, the row is flagged as active. Deactivated contacts are removed from the supplier.

No

timeZoneID The ID of the timezone where the supplier contact is located. To obtain a list of valid timezone IDs, in the Data import or export area of SM Administration, choose Supplier contacts from the File type dropdown menu, then click Export available time zones.

No

isPrimary A Boolean value that specifies whether or not the supplier contact is the primary contact for the supplier. Valid values are TRUE and FALSE.

If none of a supplier's contacts are designated the primary contact, the first contact for the supplier in the file becomes the primary contact.

If more than one of a supplier's contacts is designated the primary contact, the last contact for the supplier that is designated as primary in the file becomes the primary contact.

Yes

The following example shows lines of a supplier contact CSV file, as well as the mandatory header:

erpVendorId,firstName,middleName,lastName,countryCode,telephone,mobileCountryCode,mobilePhone,email,type,locale,title,categories,region,active,timeZoneID,isPrimary VND123456,Francine,Marie,Peugot,33,555-555-5555,,,[email protected],,fr,,4213,FRA,TRUE,Europe/Paris,TRUE


NoteAlthough there is no limit to the number of contacts you can add to a supplier, a maximum of 1000 active contacts per supplier is made available for searching, in no particular order or priority and with no guarantee that one of those 1000 contacts is the primary contact. Only contacts that are made available for searching show in lists of available contacts during questionnaire or sourcing event invitations and other workflows that involve contact selection or can be used in supplier searches.

Defining supplier qualifications for control-based engagement risk assessment projects

Control-based supplier engagement risk assessment projects use the supplier qualifications data to recommend suppliers during supplier selection in the engagement request.

Although qualification data defines qualification status by commodity, region, and department, control-based engagement risk assessment projects only use commodity. If all of the commodities specified in the first step of the engagement request, the filters questionnaire, match commodities for which the supplier has a qualification status of Qualified, the supplier shows as recommended in the third step of the engagement request, supplier selection. Partial matches do not result in recommendations. Recommended suppliers must still complete all required assessment questionnaires, and engagement risk assessment projects that include them still require reviews for all open controls, but qualified suppliers have typically submitted information to your organization as part of a qualification process, and are therefore likely to be candidates for fast-tracking.

If your site includes SAP Ariba Supplier Lifecycle and Performance, suppliers can attain Qualified status either through data import or through qualification projects. If your site does not include SAP Ariba Supplier Lifecycle and Performance and you want to recommend qualified suppliers to engagement requesters, you must import qualification data in SM Administration.

Supplier qualification data file format

Supplier qualification data is used to designate the suppliers qualified for specific categories and regions in the guided buying feature for SAP Ariba Buying and Invoicing, and for supplier qualifications that were achieved outside of SAP Ariba Supplier Lifecycle and Performance.

NoteIf the process project feature (SM-16798) is enabled in your site, you can only use this data import to update existing qualifications to Expired status. To add or update other qualification statuses, use the supplier process status data import instead. Statuses for processes with the qualification lifecycle type are automatically mapped to standard SAP Ariba qualification lifecycle statuses.

You use the Supplier qualification data data import task to designate qualified suppliers. The task reads from a CSV file that contains the following fields:





https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/cd73d26017b342b78df4e2337fb55358.html


sourceSystem For existing SAP Ariba suppliers, if the SupplierOrganizationOrganizationIdPart_Export.csv file contains a Domain and Value entry for the supplier, use the Domain in this field. If not, use SM.

For suppliers imported from outside SAP Ariba, use the sourceSystem specified in Supplier.csv.

Yes for existing suppliers.

For suppliers that do not already exist in the database, if you check the Create supplier if required option during data import, you can leave this field blank. The supplier is added with the default SM source system.

vendorId For existing SAP Ariba suppliers, if the SupplierOrganizationOrganizationIdPart_Export.csv file contains a Domain and Value entry for the supplier, use the Value in this field. If not, use the Parent.SystemID.

For suppliers imported from outside SAP Ariba, use the erpVendorId specified in Supplier.csv.

Yes

category The commodity code ID for which qualifi-cation status applies.


Yes



region The code for the region in which the qualification status applies. This code must match the region master data loaded in your site.

NoteIf your organization uses guided buying, SAP Ariba maps country/region codes in guided buying user ship-to addresses to a standard list of ISO 3-character region codes used for qualified and preferred supplier statuses. If you use other region codes, you must define custom mappings between guided buying country/region codes and preferred and qualified supplier region codes.

TipIf you are a guided buying customer, make sure that users have a matching ship-to country/region in the user files in SAP Ariba Procurement solutions.

Yes

businessUnit The department ID for which the qualifi-cation status applies.

NoteThis code must match the department master data loaded in your SAP Ariba Strategic Sourcing solutions site.

This field is only used if the business unit matrix enhancement feature is enabled in your site. If it is not, leave it blank.

Yes



https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/1355407a37c7453dbe076be49cf4a671.html


status The supplier's qualification status. The following are valid status values:

● NotQualified● QualificationStarted● InQualification● PendingQualificationAppr

oval● PendingResubmit● QualificationRestricted● QualificationRejected● Disqualified● Qualified● Expired● Cancelled

If you use display mappings to customize what statuses are called in your site, you must still use these values to import supplier qualification data.

Yes

endDate The date to which the supplier qualifica-tion status is valid for the specified commodity and region, in the format YYYY-MM-DD. This date is for informational purposes only and does not trigger an automatic change of qualification status.

No

name1 The name of the supplier. Yes if you use the Create supplier if required option during data import to create suppliers based on the data in this file. Otherwise no.

requalificationEligibleDate The date from which a supplier with a disqualification or expired qualification is eligible for requalification for the specified commodity and region, in the format YYYY-MM-DD. This date is for informational purposes only and does not trigger an automatic change of qualification status.

No



statusQualifier Supported values are:

● CREATE, to add a new qualification.

● UPDATE, to update the status of an existing qualification.

These values are case sensitive.

Yes

NoteRows that don't have a valid value in this field show as successfully imported but are ignored.

NoteAttempting to remove a supplier previously set as qualified with NotQualified or Cancelled could cause data corruption in guided buying. Instead, use Disqualified or Expired to remove these suppliers.

To specify the same supplier as qualified for multiple categories or regions, add a unique row for each combination of category, region, and supplier.

The following example shows lines of a supplier qualification CSV file, as well as the mandatory header:

sourceSystem,vendorId,category,region,businessUnit,status,startDate,endDate,name1,requalificationEligibleDate,statusQualifier SAP,VDR1000001,1412,USA,IT,Qualified,2017-02-01,2018-01-31,ABC Company,CREATE SAP,VDR1000002,14,USA,HR,Disqualified,2017-02-01,2017-12-31,XYZ Company,2018-01-01,UPDATE

To remove a supplier previously set as qualified and preferred, an administrator can remove the supplier by doing the following:

● In the preferred supplier CSV file, set the active field to FALSE, or set an endDate value.● In the supplier qualification CSV file, update the qualification status to Disqualified or Expired.

NoteIn sites that include SAP Ariba Supplier Lifecycle and Performance, you can set qualification statuses for a supplier either automatically using qualification data import or the Supplier Data API with Pagination, or manually using qualification and disqualification projects. SAP Ariba Supplier Lifecycle and Performance is designed to maintain qualifications over the long term using projects, which have questionnaires and workflows. Qualifications set using data import or the Supplier Data API with Pagination don't have associated qualification or disqualification projects. Keep in mind the following behavior:

● If a qualification status was set using an approved qualification or disqualification project, you can't use data import or the API to update it. If a supplier was qualified using a qualification project, you must disqualify them using a disqualification project. If a supplier was disqualified using a disqualification project, you must requalify them using a qualification project. If a supplier was qualified using a qualification project with an expiration date and that qualification has expired, you must requalify them using a qualification project.

● If a qualification status was set using data import or the API, you can use a qualification or disqualification project to update it. In this case, a qualification manager can start a disqualification or requalification in the supplier 360° profile. SAP Ariba Supplier Lifecycle and Performance then creates the appropriate qualification or disqualification project based on the specified qualification commodities, regions, and departments. Once that project is created, you can only manage that qualification's status using projects.



● The qualification end (expiration) and requalification eligibility dates in qualification data imports or API requests are for information only and don't trigger updates to qualification status. For example, if you use data import or the API to define qualified status with an end date of 1/31/2020, the qualification status doesn't change to expired on 2/1/2020. Since there was no underlying qualification project to set the status, you can't start a project-based requalification for a qualification that you defined using data import or the API and that has since passed the expiration date. The qualification retains the original qualified status unless you update it using another data import or API operation.

● Since commodities, regions, and departments are hierarchical, with higher and lower levels, when a supplier is qualified or disqualified for a commodity, region, or department combination, they're also automatically qualified or disqualified for the lower levels of those hierarchy branches. If a supplier is disqualified at a higher level of the hierarchy, you can't qualify them at a lower level. For example, if the supplier is disqualified for apparel in the United States of America, you can't qualify them for shirts in Colorado. However, if a supplier is qualified at a higher level and the qualification isn't project-based, you can use data import or the API to partially disqualify them at a lower level. For example, if the supplier is qualified for apparel in the United States of America, you can disqualify them for shoes in Texas.

If you see the following error during import, Unable to reach MDS or invalid code specified-[XXXX], check the following to ensure your import is successful:

● The suppliers in the import file exist in the database. Click Suppliers Export to export the Suppliers.csv file and look for the required supplier on the list.

● The commodity code domain is set appropriately in the Other Settings section of SM Admin.● The data values in the file are active and enabled in SAP Ariba Buying (commodity code) and SAP Ariba

Sourcing(commodity code and region), including all the parents to the top of the commodity code and region hierarchies.

Related Information

Custom display name data file formatDefining mappings between guided buying ship-to addresses and preferred and qualified supplier regionsHow to cancel an in-progress supplier qualification project

Preferred supplier data file format

Preferred supplier data is used to designate preferred suppliers in the guided buying feature for SAP Ariba Buying and SAP Ariba Buying and Invoicing and in SAP Ariba Supplier Risk, and for suppliers that were created outside of SAP Ariba in SAP Ariba Supplier Lifecycle and Performance.

To specify the same supplier as preferred for multiple categories, add a unique row for each combination of category and supplier. Preferred category statuses aren't supported in multi-ERP integration landscapes.

You import data about your list of preferred suppliers using the Preferred Supplier list data file type and a CSV file that contains the following fields:


https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/fde050cf2bb342baa1b47a8b1606c8cd.html


https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/16cc1970a643475e868ac6795f84acc3.html


sourceSystem For existing SAP Ariba suppliers, if the SupplierOrganizationOrganizationIdPart_Export.csv file contains a Domain and Value entry for the supplier, use the Domain in this field. If not, use SM.

For suppliers imported from outside SAP Ariba, use the sourceSystem specified in Supplier.csv.

Yes

vendorId For existing SAP Ariba suppliers, if the SupplierOrganizationOrganizationIdPart_Export.csv file contains a Domain and Value entry for the supplier, use the Value in this field. If not, use the Parent.SystemID.

For suppliers imported from outside SAP Ariba, use the erpVendorId specified in Supplier.csv.

Yes

category The commodity code ID for which the supplier is preferred.


Yes




region The code for the region in which the supplier is preferred. This code must match the region master data loaded in your site.

NoteIf your organization uses guided buying, SAP Ariba maps country/region codes in guided buying user ship-to addresses to a standard list of ISO 3-chacter region codes used for qualified and preferred supplier statuses. If you use other region codes, you must define custom mappings between guided buying country/region codes and preferred and qualified supplier region codes.

TipIf you are a guided buying customer, make sure that users have a matching ship-to country/region in the user files in SAP Ariba Procurement solutions.

Yes

businessUnit The department ID for which the preferred status applies.

NoteThis code must match the department master data loaded in your SAP Ariba Strategic Sourcing solutions site.

This field is only used if the business unit matrix enhancement feature is enabled in your site. If it is not, leave it blank.

Yes

startDate The date from which the supplier is preferred for the specified commodity and region, in the format YYYY-MM-DD.

No

endDate The date to which the supplier is preferred for the specified commodity and region, in the format YYYY-MM-DD.

No




level The supplier's preferred status level.

This status level must be one of the UniqueName values in the master data used to define preferred supplier levels in your site.

Yes

active A Boolean value that specifies whether the preferred supplier level described by the current row is active (TRUE) or deactivated (FALSE). If this field is empty, the row is flagged as active.

The following example shows one line of a preferred supplier CSV file, as well as the mandatory header:

sourceSystem,vendorId,category,region,startDate,endDate,level,active SM,VDR100001,4212,North America,,,1,TRUE

If your company decides to make a different supplier preferred for that category and region instead, an administrator can change the supplier by making the following changes in a preferred supplier CSV file:

● Set the active field to FALSE, or set an endDate value

sourceSystem,vendorId,category,region,startDate,endDate,level,active SM,VDR100001,4212,North America,,,1,FALSE SM,VDR100002,4212,North America,,,1,TRUE

To remove a supplier previously set as qualified and preferred, an administrator can remove the supplier by doing the following:

● In the preferred supplier CSV file, set the active field to FALSE, or set an endDate value.● In the supplier qualification CSV file, update the qualification status to Disqualified or Expired.

NoteIn sites that include SAP Ariba Supplier Lifecycle and Performance, you can set preferred category statuses for a supplier either automatically using preferred supplier data import or the Supplier Data API with Pagination, or manually using preferred supplier management projects. Preferred category statuses set using data import or the API don't have associated preferred supplier management projects. In the user interface, you can only create a preferred supplier management project based on an existing qualification, but this requirement doesn't apply to statuses set using data import or the API. Unlike with qualification statuses, there's also no restriction on using data import or the API to update preferred status for a supplier that has an existing status based on a preferred supplier management project.

If you see the following error during import, Unable to reach MDS or invalid code specified-[XXXX], check the following to ensure your import is successful:

● The suppliers in the import file exist in the vendor database. Click Suppliers Export to export the Suppliers.csv file and look for the required supplier on the list.

● The commodity code domain is set appropriately in the Other Settings section of SM Admin.



● The data values in the file are active and enabled in SAP Ariba Buying (commodity code) and SAP Ariba Sourcing(commodity code and region), including all the parents to the top of the commodity code and region hierarchies.

Related Information

Defining preferred supplier levelsDefining mappings between guided buying ship-to addresses and preferred and qualified supplier regions

User matrix (buyer category assignment) data file formatAssigning users or global user groups to supplier processes involves importing a CSV file that defines user or group assignments to commodities, regions, departments, and project groups.

NoteAssignments to departments are only made in sites with the business unit matrix enhancement feature enabled. If that feature isn't enabled in your site, department data in the user matrix data import file is ignored.

For example, you can assign the specific user John Smith to computer equipment in North America for the IT department for the Project Owner project group. The supplier request template adds the Project Owner project group to the approval flow of all supplier requests. When a user at your company submits a supplier request indicating that the supplier provides computer equipment in North America for the IT department, John Smith automatically becomes a member of the Project Owner project group for that request, and therefore becomes an approver for it.

Or you can create a custom global user group called IT Category Managers and add users John Smith, Susan Harris, Don Cortez, and Jane Yang to it. You can then assign the group to computer equipment in North America for the IT department for the Project Owner project group. When a user at your company submits a supplier request indicating that the supplier provides computer equipment in North America for the IT department, the IT Category Managers user group becomes a member of the Project Owner project group for that request, and any user in the IT Category Managers group can approve the request. Assigning a group rather than an individual user is useful because if 1 user leaves the company, other members of the group are still assigned as approvers. You can add or remove members of user groups at any time.

You can assign either an individual user or a global user group to a combination of commodities, regions, departments, and project groups. You can also assign a user to only a region (by specifying the region and using All for commodity and department), or to only a commodity (by specifying the commodity and using All for region and department), or to only a department (by specifying department and using All for commodity and region).

Note● When you assign a user to a commodity or region in 1 level of the hierarchy, that user is also assigned to all

commodities and regions below it. For example, if you assign John Smith to North America, he's assigned all 3 countries/regions in North America and to all cities and states in those countries/regions.


https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/a6f8e93fbfa94a25b7b950b4eb37858c.html


● If the current buyer category assignment (user matrix) data in your site doesn’t include an assignment that exactly matches the commodities, regions, and departments in a project, a matching algorithm identifies an assignment further up in the commodity, region, or department hierarchy and uses that assignment instead. See the following information for a detailed explanation of how this matching works.

● When you assign a user to a project group, that group must also exist in the appropriate template.● For prerequisites on supporting buyer category assignments in specific types of supplier management

projects, and other configuration details, refer to Understanding buyer category assignments (the user matrix).

You use the User Matrix data import task to specify user assignments to categories and regions. The task reads from a CSV file that contains the following fields:

Field Description

commodityCodeDomain The domain of the commodity code; for example, unspsc.

commodityCode The code for the commodity to which to assign the user or group. This code must match the commodity master data loaded in your SAP Ariba site.

region The region to which to assign the user or group. This code must match the commodity master data loaded in your SAP Ariba site.

businessUnit The department to which to assign the user or group. This code must match the commodity master data loaded in your SAP Ariba site.

userName The username of the user to which you're assigning commodities, regions, departments, and project groups. Use this field only for assignments to individual users. Leave it blank for assignments to global user groups. Rows that contain values in both the userName and groupUniqueName fields cause import errors.

groupUniqueName The unique name of the global system or custom user group to which you're assigning commodities, regions, departments, and project groups.

You can use either SAP Ariba default (SYSTEM) or your own custom (AribaManaged or External) user groups. Group unique names are visible in user group data exports from

Site Manager Data Import/Export and in the group

descriptions you see when clicking a group name in User

Manager Groups in Ariba Administrator.

Use this field only for assignments to global user groups. Leave it blank for assignments to individual users. Rows that contain values in both the userName and groupUniqueName fields cause import errors.



https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/592bfbc79d2b4f159599704172cb7b59.html#loio592bfbc79d2b4f159599704172cb7b59

https://help.sap.com/viewer/c6163e943b0d48e0885ac73047145cbf/cloud/en-US/592bfbc79d2b4f159599704172cb7b59.html#loio592bfbc79d2b4f159599704172cb7b59

Field Description

projectGroup The name of the project group to which the user is assigned. Note that this group must exist in the project; the assignment doesn't automatically create it.

passwordAdapter The user's password adapter, usually PasswordAdapter1.

active A Boolean value that specifies whether the assignment described by the current row is active (TRUE) or deactivated (FALSE). If this field is empty, the row is flagged as active.

The following example shows lines of a user matrix CSV file, as well as the mandatory header:

commodityCodeDomain,commodityCode,region,businessUnit,userName,groupUniqueName,projectGroup,passwordAdapter,activeunspsc,All,North America,Corporate,tjones,,Legal,PasswordAdapter1,TRUEunspsc,4213,All,Corporate,ljenkins,,Project Owner,PasswordAdapter1,TRUEunspsc,All,Los Angeles,Corporate,grooney,,Project Owner,PasswordAdapter1,TRUEunspsc,All,San Diego,grooney,,Project Owner,PasswordAdapter1,TRUEunspsc,All,All,IT,,IT Category Managers,Project Owner,PasswordAdapter1,TRUE

To assign a single user to multiple commodity, region, and department combinations, you must create separate rows, one for each assignment. This example uses 2 rows to assign the same user, George Rooney, as project owner for all commodities in Los Angeles and San Diego for the Corporate department.

You can use the active field to update assignments by deactivating the currently assigned user and assigning another user in their place. For example, if Terry Jones leaves the company, and you can replace them with George Smith by importing a user matrix CSV file with the following lines:

commodityCodeDomain,commodityCode,region,businessUnit,userName,groupUniqueName,projectGroup,passwordAdapter,activeunspsc,All,North America,HR,tjones,,Legal,PasswordAdapter1,FALSE unspsc,All,North America,HR,gsmith,,Legal,PasswordAdapter1,TRUE

If the current buyer category assignment (user matrix) data in your site doesn't include an assignment that exactly matches the commodities, regions, and departments in a project, a matching algorithm identifies an assignment further up in the commodity, region, or department hierarchy and uses that assignment instead. The matching algorithm starts with the hierarchy that has the lowest-level value and, if it doesn't identify an assignment, continues with the hierarchy with the next-lowest value. If all project hierarchy values are at the same level, the matching algorithm looks 1 level up for all hierarchies. For example, say that commodity, region, and department hierarchies include the following values:

Level Commodity Region Department

0 All All All

1 42 EMEA Manufacturing

2 4213 Western Europe Product Manufacturing

3 421324 Germany Logistics

4 42132489 Munich Transportation


If a project has a commodity of 42, a region of Germany, and a department of Product Manufacturing, and there's no buyer category assignment that exactly matches those values, the matching algorithm starts looking for assignments higher up in the region hierarchy, since the region is the lowest-level value. If it doesn't find any matches up to the highest level of the region hierarchy, it then starts looking for assignments higher up in the department hierarchy, since the department is the second lowest-level value. However, if a project has a commodity of 4213, a region of Western Europe, and a department of Product Manufacturing and there's no exactly matching assignment, the matching algorithm starts looking for assignments that match 42, EMEA, and Manufacturing, the next level up in all hierarchies.

When looking for assignments higher up in a hierarchy, the matching algorithm iterates through progressive searches until it finds an assignment. These iterations can produce multiple matches at different hierarchy levels. For example, say the user matrix (buyer category assignments) in a site include the following assignments:

User Commodity Region Department

A 421324 All All

B 4213 All All

C All All All

For a project with a commodity of 42132489, a region of EMEA, and no department set (a department of 0), the matching algorithm starts with those exact values and then, when it doesn't find a match, performs additional searches progressively higher up the commodity hierarchy in the first iteration:

Search Commodity Region Department Match?

1 42132489 EMEA 0 No

2 42132489, 421324 EMEA 0 No

3 42132489, 421324, 4213

EMEA 0 No

4 42132489, 421324, 4213, 42

EMEA 0 No

5 42132489, 421324, 4213, 42, All

EMEA 0 No

In this case, since the available buyer category assignments all specify a region of All, and the project region is EMEA, the matching algorithm doesn't find an assignment by looking higher up the commodity hierarchy alone. In the second iteration, it looks higher up the region hierarchy:


1 42132489, 421324, 4213, 42, All

EMEA, All 0 No

In this case, since the available buyer category assignments all specify a department of All, and the project department is 0, the matching algorithm doesn't find an assignment by looking higher up in the commodity hierarchy and then in the region hierarchy. In a third iteration, it looks higher up the department hierarchy:


1 42132489, 421324, 4213, 42, All

EMEA, All 0, All Yes



Based on the combined search created from these iterations, the matching algorithm identifies all 3 users (User A, User B, and User C) for the buyer category assignment.

Supplier risk data import file formatThe supplier risk data import file allows you to add risk-related information such as spend and relationship type to your suppliers; import data for custom fields; and import risk exposures from external systems.

Information about the supplier risk data file is also available on the Data Dictionary tab of the supplier risk exposure configuration workbook. You can manage risk data in the workbook and export it to a CSV file for import into your site.

You use the Supplier Risk Data import task to import supplier data. The task reads from a CSV file that includes the following fields:


ERP_VENDOR_ID The ID of the supplier in the integrated ERP system.

Yes 50 (SAP ERP maximum field length is 10)

SOURCE_SYSTEM The system in which the supplier was created; for example, SM for SAP Ariba or SAP for SAP ERP.

Yes 255

RISK_LEVEL A descriptive term that you can use to characterize overall risk. You can use field settings and values in the risk configu-ration workbook to define a set of values such as "Low," "Medium," and "High" to mirror the values used in your data warehouse for risk level data.

No 10

RISK_EXPOSURE A risk exposure modeled outside of SAP Ariba Supplier Risk. This exposure might be licensed from third parties and might be predictive in nature. It is generally a number between 0 and 1 or between 1 and 100.

No 7 (minimum is 2)



REVENUE_IMPACT The estimated overall impact that this supplier has on your revenue, which is also known as Value At Risk, over the calendar span defined in SPEND_PERIOD.

No

REVENUE_IMPACT_DOLLAR

The REVENUE_IMPACT in US dollars.

No 20 (minimum of 2)

SPEND The amount that you have spent with this supplier over the calendar span defined in SPEND_PERIOD.

No 20 (minimum is 2)

SPEND_UOM_CODE An currency code for the currency used for REVENUE_IMPACT and SPEND.

No 10

SPEND_PERIOD The general calendar span to which the SPEND and REVENUE_IMPACT amounts apply; for example, annually, yearly, quarterly, or monthly.

No 50

RELATIONSHIP_TYPE An internal indicator of the nature of your relationship with a supplier. You can use field settings and values in the risk exposure configuration workbook to define a set of values such as Critical, Non-Critical, and Strategic.

No 10

SUPPLIER_RELATIONSHIP_TYPE

An internal indicator of the status of your relationship with a supplier. You can use field settings and values in this workbook to define a set of values such as Validated or Sole Source.

No 10




ONE_TIME_SUPPLIER An indicator of whether or not you intend to purchase from this supplier more than once. Valid values for this field are Y and True. Blank values indicate that the supplier is not a one-time supplier

No

RISK_RATING An internal rating derived from your internal scorecard or from a third party. The value in this field can be letters (A, BB), numbers (1, 2, 3), or a combination (AB1).

No

VENDOR_STATE_DATE The date when the supplier first became your vendor in the format YYYY-MM-DD.

No

FIELD_01 - FIELD_15 A custom field that you can implement in order to map other data to the SAP Ariba Supplier Risk model. Use the field settings and values in the risk exposure configuration workbook to define custom fields.

No 255

Importing status data for assessments and risk controlsWhen implementing control-based engagement risk assessment projects, you can facilitate your migration from another system by importing current status data for assessments and risk controls.

Import this status data as part of your go-live process, after defining all needed components for control-based engagement risk assessment projects. See Understanding the components of the control-based risk assessment process in Setting up SAP Ariba Supplier Risk.

RememberIt's important to import this data in the correct sequence. Note the following guidelines:

1. If also updating your risk control definitions [page 27], allow that import to complete before starting any import of assessment or risk control status data.

2. Import assessment status data first, then corresponding risk control statuses.


3. Do not run the two imports at the same time.4. When importing assessment status data:

○ Do not import assessment status data for assessments that are currently active with internal or external users.

○ Note that you are importing header-level status data, not the respondent's answers to individual questions.

5. When importing risk control status data:○ Import status data for vendor- or service-type controls, but not for engagement-type controls.○ Do not import status data for a control for a supplier if the control is currently pending or open in an

active engagement for that supplier. Control review activity for the engagement will provide a status.○ Make sure your import file references the control ID's and types from the most current risk control

definition.○ Do not import a control status of Expired.

After the imports have completed successfully, engagement requests that require these assessments and risk controls will pick up the imported status information, just as they would any manually-entered assessments and risk controls for which responses already exist.

Later, an imported assessment status may expire (based on the imported expiration date). As with other expired questionnaire responses, the next engagement request for the same supplier requiring the expired assessment triggers a notification to the supplier to update their response. Similarly, if the control status expires, the next engagement where this control is relevant requires a new control review decision.

Risk control status data import file format

Risk control status data is information about the effectiveness of different risk controls for specific suppliers that you have collected in tools or processes outside of SAP Ariba Supplier Risk.

Importing this data allows you to leverage your existing control effectiveness data in control-based engagement risk assessment projects rather than needing to re-assess the effectiveness of those same controls for those same suppliers in SAP Ariba Supplier Risk.

You use the Risk Control Status Data import task in SM Administration to import risk control effectiveness data into your site. The task reads from a CSV file that contains the following fields:

Field Description Required

CONTROL_ID Specifies the unique identifier for the risk control as defined in the ControlID field of your site's risk control definition master data.

Yes

CONTROL_NAME Specifies the name of the risk control as defined in the ControlName field of your site's risk control definition master data.

Yes




CONTROL_TYPE Specifies the type of the control as defined in the ControlType field of your site's risk control definition master data. Valid values are Vendor, Service, and Engagement.

Yes

CATEGORY_UNIQUE_NAME Specifies the commodity categories associated with the control status for the specified supplier. Enter one or more commodity codes, separated by semicolons, in this field. The commodity codes you specify must be the codes used in your site's commodity master data.

Yes for controls of type Service, which always apply to specific combinations of commodity and supplier.

No for controls of type Vendor and Engagement, which apply to a specific supplier or engagement respectively regardless of the commodities involved. For these control types, commodity data in this field is ignored during import and is not saved.

CONTROL_STATUS Specifies the status of the control. Valid values depend on the setting for the parameter Expanded levels of risk control effectiveness (Application.SR.Engagement.ExpandedLevelsOfRiskControlEffectiveness) associated with optional feature ARI-9766.

● No: valid values are Effective and Ineffective

● Yes: valid values are Completely effective, Substantially effective, Partially effective, Substantially ineffective, and Completely ineffective

Skipped is a valid value in sites config-ured to allow skipping a control review.

Values are not case sensitive.

No

SM_VENDOR_ID Specifies the SM ID of the supplier. SAP Ariba automatically generates an SM vendor ID for each supplier in the database.

Yes



EXPIRATION_DATE Specifies the date and time after which the specified status is no longer valid, in the format YYYY-MM-DD or "YYYY-MM-DD, HH:MM:SS". For example, 2018-08-24 or "2019-08-24, 05:08:26".

The expiration date applies to an effec-tiveness decision for a control of type Vendor or Service. A risk control with a review decision indicating it is effective requires a new effectiveness review after this date.

Skipped control reviews can also expire.

No

SKIP_REASON For use in sites configured for the ability to skip a control review. Specifies the reason for skipping a control review. The value here must match one of the config-ured Reason values.

Yes, if the value for CONTROL_STATUS is Skipped

The following example shows lines of a risk control status CSV file, as well as the mandatory header:

CONTROL_ID,CONTROL_NAME,CONTROL_TYPE,CATEGORY_UNIQUE_NAME,CONTROL_STATUS,SM_VENDOR_ID,EXPIRATION_DATE,SKIP_REASON Critical_data,Critical Data Control,Service,43232307,Effective,S234567815,"2020-08-24, 00:00:00"

NoteThe related export of risk control status data only includes status data that was previously imported. It does not include any data on risk control effectiveness statuses that control decision makers set manually during control reviews in control-based engagement risk assessment projects.

Risk assessment status data import file formatIf you have risk-related assessments or questionnaires maintained in another system,, uploading header information for these documents allows you to make use of that data in your engagement requests.

Importing this data allows you to reference legacy risk assessment data from within SAP Ariba Supplier Risk. For example, if you are changing risk assessment tools, you may have unexpired assessments in your legacy tool; rather than asking suppliers to re-respond to new questionnaires on the same topics, you can import the statuses of these assessments.

NoteImported risk assessment status data is used only by engagement requests created specifically for control-based engagement risk assessment projects.



https://help.sap.com/viewer/9f1416275035435eb8563fe6d3bf2640/cloud/en-US/8b6204fa81984de6a1326ceaee4bec71.html

https://help.sap.com/viewer/9f1416275035435eb8563fe6d3bf2640/cloud/en-US/8b6204fa81984de6a1326ceaee4bec71.html

You use the Risk assessment status data import task in SM Administration to import risk assessment data into your site. The task reads from a CSV file that contains the following fields:


ASSESSMENT_NAME This must map to the Title of an already defined Modular Questionnaire.

Yes

ASSESSMENT_TYPE Questionnaire type for the modular questionnaire as defined in the Name field of your site's Questionnaire Type master data.

Yes

VISIBILITY Indicates whether this assessment is Internal or External.

No

ASSESSMENT_STATUS The status of this assessment. Possible values are:

● Denied● Approved

NoteIf the import file includes a row with status Approved and an EXPIRATION_DATE value in the past, the imported assessment status is saved in the database as Expired rather than Approved.

Yes

RISK_SCORE The score for this assessment. Not currently used.

No

TARGET_SCORE Target score for this assessment. Not currently used.

No

EXPIRATION_DATE Date and time after which this assessment status is no longer valid, in format yyyy-MM-dd hh24:mm:ss. For example, "2020-02-05 22:52:26". After the status expiration date, the corresponding modular questionnaire is triggered based on the assessment name and type.

No

NoteIf this is left blank, the assessment remains active indefinitely.

SM_VENDOR_ID Specifies the SM ID of the supplier. Yes



SOURCE Here you can specify the location of the original assessment.

NoteDocument location URL's can be uploaded using this text field. From there, a user can copy a URL and paste it into a browser. For reasons of application security, uploaded URL's cannot be displayed as links.

No

NoteThis column supports up to 2048 bytes; number of characters supported depends on the language and database.

CautionImport tasks do not validate for every error that might exist in the import file.

● Assessment name is validated but there is no validation reconciling other uploaded values with data already configured in the realm. Verify before proceeding that the import file contains valid supplier ID's and assessment types.

● You can also upload risk control status data (see Setting Up SAP Ariba Supplier Risk). There is no validation reconciling data uploaded for risk control status with data uploaded for risk assessment status.

The following example shows lines of a risk assessment status CSV file, as well as the mandatory header:

ASSESSMENT_NAME,ASSESSMENT_TYPE,VISIBILITY,ASSESSMENT_STATUS,RISK_SCORE,TARGET_SCORE,EXPIRATION_DATE,SM_VENDOR_ID,SOURCE Group Data Protection Policy,Evidence,External,Approved,,,,S1530626,http://filesystem/location

NoteThe related export of risk assessment status data includes only the risk assessment status data in the current realm that was previously imported. It does not include status data from supplier responses to modular questionnaires completed as part of control-based engagement risk assessment projects.

Troubleshooting

If your import does not succeed, verify the validity of the data in the import file.

● Make sure your import file includes values in all rows for the fields that are required.● If the result includes the error message Error occurred while importing assessment status data, possible

reasons include::○ Missing or invalid ASSESSMENT_NAME○ Missing SM_VENDOR_ID○ Invalid EXPIRATION_DATE

If you find that the Assessments table for an engagement request does not include an imported assessment status you expected to see there:



● Review the import file and verify that this combination of ASSESSMENT_NAME, ASSESSMENT_TYPE, and SM_VENDOR_ID was included, and that the values in those fields are correct.


Important Disclaimers and Legal Information

HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Videos Hosted on External PlatformsSome videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the control or responsibility of SAP.

Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Bias-Free LanguageSAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities, genders, and abilities.


Important Disclaimers and Legal Information

Supplier risk data importImportant Disclaimers and Legal Information PUBLIC 87

www.ariba.com

© 2021 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.

THE BEST RUN

http://www.ariba.com

https://www.sap.com/about/legal/trademark.html

Supplier risk data import - SAP Help Portal

Documents

Transcript of Supplier risk data import - SAP Help Portal