Create a vendor risk assessment and initiate the lifecycle

The vendor risk assessor creates an assessment, initiating the vendor risk assessment life cycle. Vendor risk assessments can be created on-demand or from a repeating assessment. When creating an on-demand vendor risk assessment, select the vendor, questionnaire template, and document request template. Additionally, vendor risk managers can select multiple vendors at a time and trigger vendor risk assessments.

Before you begin

Role required: vendor risk assessor

Procedure

  1. Navigate to Vendor Risk > Assessments > All Assessments.
  2. Do any of the following actions:
    OptionDescription
    To associate any existing document requests or questionnaires Click Edit.
    To create on-demand document requests or questionnaires for the assessments Click New.
    To associate any existing document requests or questionnaires from the assessment template
    1. Click New.
    2. In the Assessment template field, select the document requests or questionnaires.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Vendor Risk Assessment
    Field Description
    Number Read-only field that is automatically populated with a unique identification number.
    State
    • Draft
    • Submitted to vendor
    • Closed
    • Cancelled
    Vendor The vendor that is being assessed.
    Risk rating The overall risk rating for this vendor.
    • Critical
    • High
    • Moderate
    • Low
    • Minor
    Note: The Risk rating is determined by finding a risk rating scale range in which the risk score falls. It defines how a minimum and maximum range of assessment scores maps to a qualitative risk score.
    Repeating assessment The assessment that is used to create the current assessment.
    Created by The person who created this assessment.
    Assessment template The template used to create the current assessment.
    Assigned to The vendor contact assigned to this vendor risk assessment.
    Note: Primary contacts can reassign requests, issues, and tasks to other vendor contacts.
    Updated The date the VRA record was last updated.
    Watch list The names of users who are notified when the record is modified.
    Name The name of the vendor risk assessment.
    Description A more detailed explanation of the issue.
    Notes and Comments
    Work notes Information about the vendor risk assessment. Work notes are visible to users who are assigned to the issue.
    Additional comments (Customer visible) Public information about the vendor risk assessment.
    Assessment Schedule
    Planned duration (days) Estimated duration period of the assessment
    Actual duration The amount time it took to complete the vendor risk assessment. This field is calculated using the Actual state date and Actual end date.
    Planned start date Date and time that work on the vendor risk assessment is expected to begin.
    Actual start date Date and time that work on the vendor risk assessment began.
    Planned end date Date and time that work on the vendor risk assessment is expected to end.
    Actual end date Date and time that work on the vendor risk assessment was completed.
    Questionnaire Schedule
    Planned duration (days) The amount of time given to the vendor for completing the vendor risk assessment. This field is calculated using the Planned state date and Planned end date.
    Submitted to vendor The date that questionnaires are sent to vendor
    Due date deadline for vendor to answer all the questionnaires
    Review duration (days) The review duration given to customer to review all the questionnaires
    Completion date The actual date when vendor completed all the questionnaires
    Responses expected by The date the vendor is expecting the responses
  4. Click Submit to vendor.
    The primary vendor contact is notified, and the state of assessment changes to Submitted to vendor. The vendor responds to the notification through the Vendor Risk Portal, changing the state of assessment to Response received. All the risk scores are calculated automatically.
  5. The vendor assessor moves the state of the assessment to Generating Observations. During this time, the vendor assessor can click the View Response link in the document requests/questionnaires related list to view the response and provide comments or change responses, as necessary.
    For any problems that rise, the vendor assessor creates an issue to track the remediation process (Finalizing with vendor).
  6. The vendor assessor moves the assessment to Closed state.
    The vendor risk assessor works with the vendor through the vendor portal to close the assessment. Vendor risk assessment life cycle